CVE-2022-50459
EUVD-2025-3281601.10.2025, 12:15
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()
Fix a NULL pointer crash that occurs when we are freeing the socket at the
same time we access it via sysfs.
The problem is that:
1. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() take
the frwd_lock and do sock_hold() then drop the frwd_lock. sock_hold()
does a get on the "struct sock".
2. iscsi_sw_tcp_release_conn() does sockfd_put() which does the last put
on the "struct socket" and that does __sock_release() which sets the
sock->ops to NULL.
3. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() then
call kernel_getpeername() which accesses the NULL sock->ops.
Above we do a get on the "struct sock", but we needed a get on the "struct
socket". Originally, we just held the frwd_lock the entire time but in
commit bcf3a2953d36 ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while
calling getpeername()") we switched to refcount based because the network
layer changed and started taking a mutex in that path, so we could no
longer hold the frwd_lock.
Instead of trying to maintain multiple refcounts, this just has us use a
mutex for accessing the socket in the interface code paths.EnginsightAffected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 5.8.14 ≤ 𝑥 < 5.9 |
| linux | linux_kernel | 5.9.1 ≤ 𝑥 < 5.10.150 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.75 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 5.19.17 |
| linux | linux_kernel | 6.0 ≤ 𝑥 < 6.0.3 |
| linux | linux_kernel | 5.9 |
| linux | linux_kernel | 5.9:rc8 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
References