Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
nvmet: avoid potential UAF in nvmet_req_complete()
An nvme target ->queue_response() operation implementation may free the request passed as argument. Such implementation potentially could result in a use after free of the request pointer when percpu_ref_put() is called in nvmet_req_complete().
Avoid such problem by using a local variable to save the sq pointer before calling __nvmet_req_complete(), thus avoiding dereferencing the req pointer after that function call.
Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 8.4 ELS , CentOS 8.5 ELS , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS
- Affected packages:
- linux-hwe @ 4.15.0 (+4 more)
In the Linux kernel, the following vulnerability has been resolved:
nvmet: avoid potential UAF in nvmet_req_complete()
An nvme target ->queue_response() operation implementation may free the request passed as argument. Such implementation potentially could result in a use after free of the request pointer when percpu_ref_put() is called in nvmet_req_complete().
Avoid such problem by using a local variable to save the sq pointer before calling __nvmet_req_complete(), thus avoiding dereferencing the req pointer after that function call.