fkie_cve-2022-49217
Vulnerability from fkie_nvd
Published
2025-02-26 07:00
Modified
2025-10-21 11:54
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix abort all task initialization In pm80xx_send_abort_all(), the n_elem field of the ccb used is not initialized to 0. This missing initialization sometimes lead to the task completion path seeing the ccb with a non-zero n_elem resulting in the execution of invalid dma_unmap_sg() calls in pm8001_ccb_task_free(), causing a crash such as: [ 197.676341] RIP: 0010:iommu_dma_unmap_sg+0x6d/0x280 [ 197.700204] RSP: 0018:ffff889bbcf89c88 EFLAGS: 00010012 [ 197.705485] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83d0bda0 [ 197.712687] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff88810dffc0d0 [ 197.719887] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881c790098b [ 197.727089] R10: ffffed1038f20131 R11: 0000000000000001 R12: 0000000000000000 [ 197.734296] R13: ffff88810dffc0d0 R14: 0000000000000010 R15: 0000000000000000 [ 197.741493] FS: 0000000000000000(0000) GS:ffff889bbcf80000(0000) knlGS:0000000000000000 [ 197.749659] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 197.755459] CR2: 00007f16c1b42734 CR3: 0000000004814000 CR4: 0000000000350ee0 [ 197.762656] Call Trace: [ 197.765127] <IRQ> [ 197.767162] pm8001_ccb_task_free+0x5f1/0x820 [pm80xx] [ 197.772364] ? do_raw_spin_unlock+0x54/0x220 [ 197.776680] pm8001_mpi_task_abort_resp+0x2ce/0x4f0 [pm80xx] [ 197.782406] process_oq+0xe85/0x7890 [pm80xx] [ 197.786817] ? lock_acquire+0x194/0x490 [ 197.790697] ? handle_irq_event+0x10e/0x1b0 [ 197.794920] ? mpi_sata_completion+0x2d70/0x2d70 [pm80xx] [ 197.800378] ? __wake_up_bit+0x100/0x100 [ 197.804340] ? lock_is_held_type+0x98/0x110 [ 197.808565] pm80xx_chip_isr+0x94/0x130 [pm80xx] [ 197.813243] tasklet_action_common.constprop.0+0x24b/0x2f0 [ 197.818785] __do_softirq+0x1b5/0x82d [ 197.822485] ? do_raw_spin_unlock+0x54/0x220 [ 197.826799] __irq_exit_rcu+0x17e/0x1e0 [ 197.830678] irq_exit_rcu+0xa/0x20 [ 197.834114] common_interrupt+0x78/0x90 [ 197.840051] </IRQ> [ 197.844236] <TASK> [ 197.848397] asm_common_interrupt+0x1e/0x40 Avoid this issue by always initializing the ccb n_elem field to 0 in pm8001_send_abort_all(), pm8001_send_read_log() and pm80xx_send_abort_all().
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/16cd02e0951b520bef324adb9a35afcc92501cafPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1824a21b2cedc5774a5adfa74f5f7b90472d8677Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/279f318bd7d6e04e6e0bc7b8cd8e190da8fa37a4Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/326d894adf89f3c707b7784becbe241830daaab6Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/765674e3b30121782a2b792684554baa48c61f5ePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7f12845c8389855dbcc67baa068b6832dc4a396ePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9914461db82caee6c519acfbe10a86fe11bcdecaPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c8db786858d895ac58342f67767b4999ae6538faPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d6ec4471550cc53e96485a7124c5891e6a38d1c3Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "31C7B3E6-23EF-4043-9B08-F48D0FA6EBBB",
              "versionEndExcluding": "4.9.311",
              "versionStartIncluding": "3.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6D9B028C-6313-47F9-94B7-5F8122345E49",
              "versionEndExcluding": "4.14.276",
              "versionStartIncluding": "4.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA28527A-11D3-41D2-9C4C-ECAC0D6A4A2D",
              "versionEndExcluding": "4.19.238",
              "versionStartIncluding": "4.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8CB6E8F5-C2B1-46F3-A807-0F6104AC340F",
              "versionEndExcluding": "5.4.189",
              "versionStartIncluding": "4.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "91D3BFD0-D3F3-4018-957C-96CCBF357D79",
              "versionEndExcluding": "5.10.110",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "27C42AE8-B387-43E2-938A-E1C8B40BE6D5",
              "versionEndExcluding": "5.15.33",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "20C43679-0439-405A-B97F-685BEE50613B",
              "versionEndExcluding": "5.16.19",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "210C679C-CF84-44A3-8939-E629C87E54BF",
              "versionEndExcluding": "5.17.2",
              "versionStartIncluding": "5.17",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix abort all task initialization\n\nIn pm80xx_send_abort_all(), the n_elem field of the ccb used is not\ninitialized to 0. This missing initialization sometimes lead to the task\ncompletion path seeing the ccb with a non-zero n_elem resulting in the\nexecution of invalid dma_unmap_sg() calls in pm8001_ccb_task_free(),\ncausing a crash such as:\n\n[  197.676341] RIP: 0010:iommu_dma_unmap_sg+0x6d/0x280\n[  197.700204] RSP: 0018:ffff889bbcf89c88 EFLAGS: 00010012\n[  197.705485] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83d0bda0\n[  197.712687] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff88810dffc0d0\n[  197.719887] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881c790098b\n[  197.727089] R10: ffffed1038f20131 R11: 0000000000000001 R12: 0000000000000000\n[  197.734296] R13: ffff88810dffc0d0 R14: 0000000000000010 R15: 0000000000000000\n[  197.741493] FS:  0000000000000000(0000) GS:ffff889bbcf80000(0000) knlGS:0000000000000000\n[  197.749659] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  197.755459] CR2: 00007f16c1b42734 CR3: 0000000004814000 CR4: 0000000000350ee0\n[  197.762656] Call Trace:\n[  197.765127]  \u003cIRQ\u003e\n[  197.767162]  pm8001_ccb_task_free+0x5f1/0x820 [pm80xx]\n[  197.772364]  ? do_raw_spin_unlock+0x54/0x220\n[  197.776680]  pm8001_mpi_task_abort_resp+0x2ce/0x4f0 [pm80xx]\n[  197.782406]  process_oq+0xe85/0x7890 [pm80xx]\n[  197.786817]  ? lock_acquire+0x194/0x490\n[  197.790697]  ? handle_irq_event+0x10e/0x1b0\n[  197.794920]  ? mpi_sata_completion+0x2d70/0x2d70 [pm80xx]\n[  197.800378]  ? __wake_up_bit+0x100/0x100\n[  197.804340]  ? lock_is_held_type+0x98/0x110\n[  197.808565]  pm80xx_chip_isr+0x94/0x130 [pm80xx]\n[  197.813243]  tasklet_action_common.constprop.0+0x24b/0x2f0\n[  197.818785]  __do_softirq+0x1b5/0x82d\n[  197.822485]  ? do_raw_spin_unlock+0x54/0x220\n[  197.826799]  __irq_exit_rcu+0x17e/0x1e0\n[  197.830678]  irq_exit_rcu+0xa/0x20\n[  197.834114]  common_interrupt+0x78/0x90\n[  197.840051]  \u003c/IRQ\u003e\n[  197.844236]  \u003cTASK\u003e\n[  197.848397]  asm_common_interrupt+0x1e/0x40\n\nAvoid this issue by always initializing the ccb n_elem field to 0 in\npm8001_send_abort_all(), pm8001_send_read_log() and\npm80xx_send_abort_all()."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: pm8001: Se ha corregido la interrupci\u00f3n de todas las inicializaciones de tareas. En pm80xx_send_abort_all(), el campo n_elem del ccb utilizado no se inicializa a 0. Esta inicializaci\u00f3n faltante a veces provoca que la ruta de finalizaci\u00f3n de la tarea vea el ccb con un n_elem distinto de cero, lo que da como resultado la ejecuci\u00f3n de llamadas dma_unmap_sg() no v\u00e1lidas en pm8001_ccb_task_free(), lo que provoca un bloqueo como el siguiente: [ 197.676341] RIP: 0010:iommu_dma_unmap_sg+0x6d/0x280 [ 197.700204] RSP: 0018:ffff889bbcf89c88 EFLAGS: 00010012 [ 197.705485] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83d0bda0 [ 197.712687] RDX: 00000000000000002 RSI: 0000000000000000 RDI: ffff88810dffc0d0 [ 197.719887] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881c790098b [ 197.727089] R10: ffffed1038f20131 R11: 0000000000000001 R12: 0000000000000000 [ 197.734296] R13: ffff88810dffc0d0 R14: 0000000000000010 R15: 0000000000000000 [ 197.741493] FS: 000000000000000(0000) GS:ffff889bbcf80000(0000) knlGS:0000000000000000 [ 197.749659] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 197.755459] CR2: 00007f16c1b42734 CR3: 0000000004814000 CR4: 0000000000350ee0 [ 197.762656] Rastreo de llamadas: [ 197.765127]  [ 197.767162] pm8001_ccb_task_free+0x5f1/0x820 [pm80xx] [ 197.772364] ? do_raw_spin_unlock+0x54/0x220 [ 197.776680] pm8001_mpi_task_abort_resp+0x2ce/0x4f0 [pm80xx] [ 197.782406] process_oq+0xe85/0x7890 [pm80xx] [ 197.786817] ? lock_acquire+0x194/0x490 [ 197.790697] ? handle_irq_event+0x10e/0x1b0 [ 197.794920] ? mpi_sata_completion+0x2d70/0x2d70 [pm80xx] [ 197.800378] ? __wake_up_bit+0x100/0x100 [ 197.804340] ? lock_is_held_type+0x98/0x110 [ 197.808565] pm80xx_chip_isr+0x94/0x130 [pm80xx] [ 197.813243] tasklet_action_common.constprop.0+0x24b/0x2f0 [ 197.818785] __do_softirq+0x1b5/0x82d [ 197.822485] ? do_raw_spin_unlock+0x54/0x220 [ 197.826799] __irq_exit_rcu+0x17e/0x1e0 [ 197.830678] irq_exit_rcu+0xa/0x20 [ 197.834114] common_interrupt+0x78/0x90 [ 197.840051]  [ 197.844236]  [ 197.848397] asm_common_interrupt+0x1e/0x40 Evite este problema inicializando siempre el campo n_elem de ccb en 0 en pm8001_send_abort_all(), pm8001_send_read_log() y pm80xx_send_abort_all()."
    }
  ],
  "id": "CVE-2022-49217",
  "lastModified": "2025-10-21T11:54:10.390",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-02-26T07:00:58.787",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/16cd02e0951b520bef324adb9a35afcc92501caf"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/1824a21b2cedc5774a5adfa74f5f7b90472d8677"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/279f318bd7d6e04e6e0bc7b8cd8e190da8fa37a4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/326d894adf89f3c707b7784becbe241830daaab6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/765674e3b30121782a2b792684554baa48c61f5e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7f12845c8389855dbcc67baa068b6832dc4a396e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9914461db82caee6c519acfbe10a86fe11bcdeca"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/c8db786858d895ac58342f67767b4999ae6538fa"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d6ec4471550cc53e96485a7124c5891e6a38d1c3"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-909"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.