| ID |
CVE-2022-50459
|
| Sažetak |
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()
Fix a NULL pointer crash that occurs when we are freeing the socket at the
same time we access it via sysfs.
The problem is that:
1. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() take
the frwd_lock and do sock_hold() then drop the frwd_lock. sock_hold()
does a get on the "struct sock".
2. iscsi_sw_tcp_release_conn() does sockfd_put() which does the last put
on the "struct socket" and that does __sock_release() which sets the
sock->ops to NULL.
3. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() then
call kernel_getpeername() which accesses the NULL sock->ops.
Above we do a get on the "struct sock", but we needed a get on the "struct
socket". Originally, we just held the frwd_lock the entire time but in
commit bcf3a2953d36 ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while
calling getpeername()") we switched to refcount based because the network
layer changed and started taking a mutex in that path, so we could no
longer hold the frwd_lock.
Instead of trying to maintain multiple refcounts, this just has us use a
mutex for accessing the socket in the interface code paths. |
| Reference |
|
| CVSS |
| Base: | 5.5 |
| Impact: | 3.6 |
| Exploitability: | 1.8 |
|
| Pristup |
| Vektor | Složenost | Autentikacija |
| LOCAL |
LOW |
LOW |
|
| Impact |
| Povjerljivost | Cjelovitost | Dostupnost |
| NONE |
NONE |
HIGH |
|
| CVSS vektor |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| Zadnje važnije ažuriranje |
16-01-2026 - 19:24 |
| Objavljeno |
01-10-2025 - 12:15 |
