5.5
CVE-2022-50459
- EPSS 0.15%
- Veröffentlicht 01.10.2025 12:15:39
- Zuletzt bearbeitet 16.01.2026 19:24:44
- CVE-Watchlists
- Unerledigt
scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()
In the Linux kernel, the following vulnerability has been resolved:
scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()
Fix a NULL pointer crash that occurs when we are freeing the socket at the
same time we access it via sysfs.
The problem is that:
1. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() take
the frwd_lock and do sock_hold() then drop the frwd_lock. sock_hold()
does a get on the "struct sock".
2. iscsi_sw_tcp_release_conn() does sockfd_put() which does the last put
on the "struct socket" and that does __sock_release() which sets the
sock->ops to NULL.
3. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() then
call kernel_getpeername() which accesses the NULL sock->ops.
Above we do a get on the "struct sock", but we needed a get on the "struct
socket". Originally, we just held the frwd_lock the entire time but in
commit bcf3a2953d36 ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while
calling getpeername()") we switched to refcount based because the network
layer changed and started taking a mutex in that path, so we could no
longer hold the frwd_lock.
Instead of trying to maintain multiple refcounts, this just has us use a
mutex for accessing the socket in the interface code paths.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 5.8.14 < 5.9
Linux ≫ Linux Kernel Version >= 5.9.1 < 5.10.150
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.75
Linux ≫ Linux Kernel Version >= 5.16 < 5.19.17
Linux ≫ Linux Kernel Version >= 6.0 < 6.0.3
Linux ≫ Linux Kernel Version5.9 Update-
Linux ≫ Linux Kernel Version5.9 Updaterc8
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.15% | 0.048 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-476 NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.
https://git.kernel.org/stable/c/0a0b861fce2657ba08ec356a74346b37ca4b2008
https://git.kernel.org/stable/c/57569c37f0add1b6489e1a1563c71519daf732cf
https://git.kernel.org/stable/c/884a788f065578bb640382279a83d1df433b13e6
https://git.kernel.org/stable/c/897dbbc57d71e8a34ec1af8e573a142de457da38
https://git.kernel.org/stable/c/a26b0658751bb0a3b28386fca715333b104d32a2