CVE-2022-49053

In the Linux kernel, the following vulnerability has been resolved: scsi: target: tcmu: Fix possible page UAF tcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not take refcount properly and just returns page pointer. When tcmu_try_get_data_page() returns, the returned page may have been freed by tcmu_blocks_release(). We need to get_page() under cmdr_lock to avoid concurrent tcmu_blocks_release().

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/a6968f7a367f128d120447360734344d5a3d5336	Patch
https://git.kernel.org/stable/c/a9564d84ed9f6ee71017d062d0d2182154294a4b	Patch
https://git.kernel.org/stable/c/aec36b98a1bbaa84bfd8299a306e4c12314af626	Patch
https://git.kernel.org/stable/c/b7f3b5d70c834f49f7d87a2f2ed1c6284d9a0322	Patch
https://git.kernel.org/stable/c/d7c5d79e50be6e06b669141e3db1f977a0dd4e8e	Patch
https://git.kernel.org/stable/c/e3e0e067d5b34e4a68e3cc55f8eebc413f56f8ed	Patch
https://git.kernel.org/stable/c/fb7a5115422fbd6a4d505e8844f1ef5529f10489	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.18:rc1::::::

History

No history.

Information

Published : 2025-02-26 07:00

Updated : 2025-03-24 17:43

NVD link : CVE-2022-49053

Mitre link : CVE-2022-49053

CVE.ORG link : CVE-2022-49053

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2022-49053", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:00:42.563", "references": [{"url": "https://git.kernel.org/stable/c/a6968f7a367f128d120447360734344d5a3d5336", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a9564d84ed9f6ee71017d062d0d2182154294a4b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aec36b98a1bbaa84bfd8299a306e4c12314af626", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b7f3b5d70c834f49f7d87a2f2ed1c6284d9a0322", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d7c5d79e50be6e06b669141e3db1f977a0dd4e8e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e3e0e067d5b34e4a68e3cc55f8eebc413f56f8ed", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fb7a5115422fbd6a4d505e8844f1ef5529f10489", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: target: tcmu: Fix possible page UAF\n\ntcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not\ntake refcount properly and just returns page pointer. When\ntcmu_try_get_data_page() returns, the returned page may have been freed by\ntcmu_blocks_release().\n\nWe need to get_page() under cmdr_lock to avoid concurrent\ntcmu_blocks_release()."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: scsi: target: tcmu: Fix possible page UAF tcmu_try_get_data_page() busca p\u00e1ginas bajo cmdr_lock, pero no toma el recuento de referencias correctamente y solo devuelve el puntero de p\u00e1gina. Cuando tcmu_try_get_data_page() regresa, la p\u00e1gina devuelta puede haber sido liberada por tcmu_blocks_release(). Necesitamos get_page() bajo cmdr_lock para evitar tcmu_blocks_release() concurrente."}], "lastModified": "2025-03-24T17:43:58.983", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3088C36B-F9EB-4609-A0D0-EB411E2E915B", "versionEndExcluding": "4.14.276"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "712D9B45-4B53-4563-94B5-F758AFBBFB0D", "versionEndExcluding": "4.19.239", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0ADBA6D-47D8-4518-8D10-9B9196DE680B", "versionEndExcluding": "5.4.190", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0460A5D2-3024-497A-B799-23E025B91972", "versionEndExcluding": "5.10.112", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "05ABCC3F-88A9-47F9-9D40-8665747B2E43", "versionEndExcluding": "5.15.35", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E22C86CB-06CD-4D16-AB2A-F21EE8199262", "versionEndExcluding": "5.17.4", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6AD94161-84BB-42E6-9882-4FC0C42E9FC1"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}