CVE-2022-48790

{"id": "CVE-2022-48790", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2024-07-16T12:15:03.843", "references": [{"url": "https://git.kernel.org/stable/c/0ead57ceb21bbf15963b4874c2ac67143455382f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0fa0f99fc84e41057cbdd2efbfe91c6b2f47dd9d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/70356b756a58704e5c8818cb09da5854af87e765", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9e956a2596ae276124ef0d96829c013dd0faf861", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a25e460fbb0340488d119fb2e28fe3f829b7417e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e043fb5a0336ee74614e26f0d9f36f1f5bb6d606", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix a possible use-after-free in controller reset during load\n\nUnlike .queue_rq, in .submit_async_event drivers may not check the ctrl\nreadiness for AER submission. This may lead to a use-after-free\ncondition that was observed with nvme-tcp.\n\nThe race condition may happen in the following scenario:\n1. driver executes its reset_ctrl_work\n2. -> nvme_stop_ctrl - flushes ctrl async_event_work\n3. ctrl sends AEN which is received by the host, which in turn\n schedules AEN handling\n4. teardown admin queue (which releases the queue socket)\n5. AEN processed, submits another AER, calling the driver to submit\n6. driver attempts to send the cmd\n==> use-after-free\n\nIn order to fix that, add ctrl state check to validate the ctrl\nis actually able to accept the AER submission.\n\nThis addresses the above race in controller resets because the driver\nduring teardown should:\n1. change ctrl state to RESETTING\n2. flush async_event_work (as well as other async work elements)\n\nSo after 1,2, any other AER command will find the\nctrl state to be RESETTING and bail out without submitting the AER."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: nvme: corrige un posible use-after-free en el reinicio del controlador durante la carga. A diferencia de .queue_rq, en .submit_async_event es posible que los controladores no verifiquen la preparaci\u00f3n de Ctrl para el env\u00edo de AER. Esto puede provocar una condici\u00f3n de use-after-free que se observ\u00f3 con nvme-tcp. La condici\u00f3n de ejecuci\u00f3n puede ocurrir en el siguiente escenario: 1. el controlador ejecuta su reset_ctrl_work 2. -> nvme_stop_ctrl - vac\u00eda ctrl async_event_work 3. ctrl env\u00eda AEN que es recibido por el host, que a su vez programa el manejo de AEN 4. desmontaje de la cola de administraci\u00f3n (que libera el socket de la cola) 5. AEN procesado, env\u00eda otro AER, llamando al controlador para enviar 6. el controlador intenta enviar el cmd ==> use-after-free Para solucionar eso, agregue la verificaci\u00f3n de estado de ctrl para validar que ctrl es realmente capaz de aceptar la presentaci\u00f3n de la ARE. Esto soluciona la ejecuci\u00f3n anterior en los reinicios del controlador porque el controlador durante el desmontaje debe: 1. cambiar el estado de Ctrl a RESTABLECER 2. vaciar async_event_work (as\u00ed como otros elementos de trabajo as\u00edncronos) Entonces, despu\u00e9s de 1,2, cualquier otro comando AER encontrar\u00e1 el estado de Ctrl estar RESETING y rescatar sin presentar la AER."}], "lastModified": "2024-08-07T20:06:57.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BED6719E-2004-42C8-8CA4-4E4CD159B63F", "versionEndExcluding": "4.19.231"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB33213E-1A45-4E3B-A129-58AAA2EB921D", "versionEndExcluding": "5.4.181", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DAD66A9A-8D06-48D1-8AA8-FC060496FF53", "versionEndExcluding": "5.10.102", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D098AA16-8E21-4EB7-AE2F-1EEB58E1A3A3", "versionEndExcluding": "5.15.25", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D327234-5D4A-43DC-A6DF-BCA0CEBEC039", "versionEndExcluding": "5.16.11", "versionStartIncluding": "5.16"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}