Bug 1228013 (CVE-2022-48792)

Summary: VUL-0: CVE-2022-48792: kernel: scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Kernel Bugs <kernel-bugs>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: andrea.mattiazzo, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/414221/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-48792:7.0:(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1228017    

Description SMASH SMASH 2024-07-17 08:16:10 UTC 
In the Linux kernel, the following vulnerability has been resolved:

scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task

Currently a use-after-free may occur if a sas_task is aborted by the upper
layer before we handle the I/O completion in mpi_ssp_completion() or
mpi_sata_completion().

In this case, the following are the two steps in handling those I/O
completions:

 - Call complete() to inform the upper layer handler of completion of
   the I/O.

 - Release driver resources associated with the sas_task in
   pm8001_ccb_task_free() call.

When complete() is called, the upper layer may free the sas_task. As such,
we should not touch the associated sas_task afterwards, but we do so in the
pm8001_ccb_task_free() call.

Fix by swapping the complete() and pm8001_ccb_task_free() calls ordering.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-48792
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2022/CVE-2022-48792.mbox
https://git.kernel.org/stable/c/fe9ac3eaa2e387a5742b380b73a5a6bc237bf184
https://git.kernel.org/stable/c/d9d93f32534a0a80a1c26bdb0746d90a7b19c2c2
https://git.kernel.org/stable/c/f61f9fccb2cb4bb275674a79d638704db6bc2171
https://git.kernel.org/stable/c/df7abcaa1246e2537ab4016077b5443bb3c09378
https://www.cve.org/CVERecord?id=CVE-2022-48792
https://bugzilla.redhat.com/show_bug.cgi?id=2298128