< Back

CVE-2022-48790

Updated on 16 Jul 2024

Severity

7.0 High severity

Details

CVSS score: 7.0
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE ID: CWE-416 Use After Free
Affected product
Affected component
Links: NIST CIRCL RHEL Ubuntu

Overview

About vulnerability

In the Linux kernel, the following vulnerability has been resolved:

nvme: fix a possible use-after-free in controller reset during load

Unlike .queue_rq, in .submit_async_event drivers may not check the ctrl readiness for AER submission. This may lead to a use-after-free condition that was observed with nvme-tcp.

The race condition may happen in the following scenario:

driver executes its reset_ctrl_work
-> nvme_stop_ctrl - flushes ctrl async_event_work
ctrl sends AEN which is received by the host, which in turn schedules AEN handling
teardown admin queue (which releases the queue socket)
AEN processed, submits another AER, calling the driver to submit
driver attempts to send the cmd ==> use-after-free

In order to fix that, add ctrl state check to validate the ctrl is actually able to accept the AER submission.

This addresses the above race in controller resets because the driver during teardown should:

change ctrl state to RESETTING
flush async_event_work (as well as other async work elements)

So after 1,2, any other AER command will find the ctrl state to be RESETTING and bail out without submitting the AER.

Details

Affected product:: CentOS 6 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CloudLinux 6 ELS , Oracle Linux 6 ELS , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS
Affected packages:: kernel @ 2.6.32 (+7 more)

In the Linux kernel, the following vulnerability has been resolved:

nvme: fix a possible use-after-free in controller reset during load

Unlike .queue_rq, in .submit_async_event drivers may not check the ctrl readiness for AER submission. This may lead to a use-after-free condition that was observed with nvme-tcp.

The race condition may happen in the following scenario:

driver executes its reset_ctrl_work
-> nvme_stop_ctrl - flushes ctrl async_event_work
ctrl sends AEN which is received by the host, which in turn schedules AEN handling
teardown admin queue (which releases the queue socket)
AEN processed, submits another AER, calling the driver to submit
driver attempts to send the cmd ==> use-after-free

In order to fix that, add ctrl state check to validate the ctrl is actually able to accept the AER submission.

This addresses the above race in controller resets because the driver during teardown should:

change ctrl state to RESETTING
flush async_event_work (as well as other async work elements)

So after 1,2, any other AER command will find the ctrl state to be RESETTING and bail out without submitting the AER.

Fixes

Operating system / Project

Release info

Copy page link

Open as a page

Advisory

CLSA-2025:1748945064

Operating system

CentOS 8.4 ELS

Published date

Nov 16, 2014

Project

Linux

Version

2.11.0-1~ubuntu16.04.1+tuxcare.els12

How to fix

Update command:

apt-get update
apt-get --only-upgrade install ansible*

Changelog

Insufficiently Random Passwords Leakage
Debian/patches/CVE-2020-10729.patch: Fix caching of Jinja2 expressions to prevent caching dynamic results
CVE-2020-10729

Packages list

ansible_2.5.1+dfsg-1ubuntu0.1+tuxcare.els6_all.deb

CVE-2022-48790

Severity

Details

Overview

About vulnerability

Details

Statement

Fixes

Statement

Subscribe to updates

Contact us