{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2022-48835",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-07-16T11:38:08.906Z",
        "datePublished": "2024-07-16T12:25:07.907Z",
        "dateUpdated": "2024-09-11T17:34:10.476Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-07-16T12:25:07.907Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Page fault in reply q processing\n\nA page fault was encountered in mpt3sas on a LUN reset error path:\n\n[  145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0)\n[  145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2)\n[  145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2)\n[  145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c 01 01 ff fc 00\n[  145.837617] scsi target1:0:0: handle(0x0002), sas_address(0x500605b0000272b9), phy(0)\n[  145.848598] scsi target1:0:0: enclosure logical id(0x500605b0000272b8), slot(0)\n[  149.858378] mpt3sas_cm1: Poll ReplyDescriptor queues for completion of smid(0), task_type(0x05), handle(0x0002)\n[  149.875202] BUG: unable to handle page fault for address: 00000007fffc445d\n[  149.885617] #PF: supervisor read access in kernel mode\n[  149.894346] #PF: error_code(0x0000) - not-present page\n[  149.903123] PGD 0 P4D 0\n[  149.909387] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[  149.917417] CPU: 24 PID: 3512 Comm: scsi_eh_1 Kdump: loaded Tainted: G S         O      5.10.89-altav-1 #1\n[  149.934327] Hardware name: DDN           200NVX2             /200NVX2-MB          , BIOS ATHG2.2.02.01 09/10/2021\n[  149.951871] RIP: 0010:_base_process_reply_queue+0x4b/0x900 [mpt3sas]\n[  149.961889] Code: 0f 84 22 02 00 00 8d 48 01 49 89 fd 48 8d 57 38 f0 0f b1 4f 38 0f 85 d8 01 00 00 49 8b 45 10 45 31 e4 41 8b 55 0c 48 8d 1c d0 <0f> b6 03 83 e0 0f 3c 0f 0f 85 a2 00 00 00 e9 e6 01 00 00 0f b7 ee\n[  149.991952] RSP: 0018:ffffc9000f1ebcb8 EFLAGS: 00010246\n[  150.000937] RAX: 0000000000000055 RBX: 00000007fffc445d RCX: 000000002548f071\n[  150.011841] RDX: 00000000ffff8881 RSI: 0000000000000001 RDI: ffff888125ed50d8\n[  150.022670] RBP: 0000000000000000 R08: 0000000000000000 R09: c0000000ffff7fff\n[  150.033445] R10: ffffc9000f1ebb68 R11: ffffc9000f1ebb60 R12: 0000000000000000\n[  150.044204] R13: ffff888125ed50d8 R14: 0000000000000080 R15: 34cdc00034cdea80\n[  150.054963] FS:  0000000000000000(0000) GS:ffff88dfaf200000(0000) knlGS:0000000000000000\n[  150.066715] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  150.076078] CR2: 00000007fffc445d CR3: 000000012448a006 CR4: 0000000000770ee0\n[  150.086887] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  150.097670] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  150.108323] PKRU: 55555554\n[  150.114690] Call Trace:\n[  150.120497]  ? printk+0x48/0x4a\n[  150.127049]  mpt3sas_scsih_issue_tm.cold.114+0x2e/0x2b3 [mpt3sas]\n[  150.136453]  mpt3sas_scsih_issue_locked_tm+0x86/0xb0 [mpt3sas]\n[  150.145759]  scsih_dev_reset+0xea/0x300 [mpt3sas]\n[  150.153891]  scsi_eh_ready_devs+0x541/0x9e0 [scsi_mod]\n[  150.162206]  ? __scsi_host_match+0x20/0x20 [scsi_mod]\n[  150.170406]  ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[  150.178925]  ? blk_mq_tagset_busy_iter+0x45/0x60\n[  150.186638]  ? scsi_try_target_reset+0x90/0x90 [scsi_mod]\n[  150.195087]  scsi_error_handler+0x3a5/0x4a0 [scsi_mod]\n[  150.203206]  ? __schedule+0x1e9/0x610\n[  150.209783]  ? scsi_eh_get_sense+0x210/0x210 [scsi_mod]\n[  150.217924]  kthread+0x12e/0x150\n[  150.224041]  ? kthread_worker_fn+0x130/0x130\n[  150.231206]  ret_from_fork+0x1f/0x30\n\nThis is caused by mpt3sas_base_sync_reply_irqs() using an invalid reply_q\npointer outside of the list_for_each_entry() loop. At the end of the full\nlist traversal the pointer is invalid.\n\nMove the _base_process_reply_queue() call inside of the loop."
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "drivers/scsi/mpt3sas/mpt3sas_base.c"
                    ],
                    "versions": [
                        {
                            "version": "711a923c14d9",
                            "lessThan": "98e7a654a5be",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "711a923c14d9",
                            "lessThan": "0cd2dd4bcf4a",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "711a923c14d9",
                            "lessThan": "3916e33b9175",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "711a923c14d9",
                            "lessThan": "69ad4ef868c1",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "drivers/scsi/mpt3sas/mpt3sas_base.c"
                    ],
                    "versions": [
                        {
                            "version": "5.10",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "5.10",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.10.108",
                            "lessThanOrEqual": "5.10.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.15.31",
                            "lessThanOrEqual": "5.15.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.16.17",
                            "lessThanOrEqual": "5.16.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "5.17",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/98e7a654a5bebaf1a28e987af5e44c002544a413"
                },
                {
                    "url": "https://git.kernel.org/stable/c/0cd2dd4bcf4abc812148c4943f966a3c8dccb00f"
                },
                {
                    "url": "https://git.kernel.org/stable/c/3916e33b917581e2b2086e856c291cb86ea98a05"
                },
                {
                    "url": "https://git.kernel.org/stable/c/69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3"
                }
            ],
            "title": "scsi: mpt3sas: Page fault in reply q processing",
            "x_generator": {
                "engine": "bippy-c9c4e1df01b2"
            }
        },
        "adp": [
            {
                "providerMetadata": {
                    "orgId": "af854a3a-2127-422b-91ae-364da2661108",
                    "shortName": "CVE",
                    "dateUpdated": "2024-08-03T15:25:01.548Z"
                },
                "title": "CVE Program Container",
                "references": [
                    {
                        "url": "https://git.kernel.org/stable/c/98e7a654a5bebaf1a28e987af5e44c002544a413",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/0cd2dd4bcf4abc812148c4943f966a3c8dccb00f",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/3916e33b917581e2b2086e856c291cb86ea98a05",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/69ad4ef868c1fc7609daa235dfa46d28ba7a3ba3",
                        "tags": [
                            "x_transferred"
                        ]
                    }
                ]
            },
            {
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "id": "CVE-2022-48835",
                                "role": "CISA Coordinator",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "version": "2.0.3",
                                "timestamp": "2024-09-10T16:57:13.839811Z"
                            }
                        }
                    }
                ],
                "title": "CISA ADP Vulnrichment",
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-09-11T17:34:10.476Z"
                }
            }
        ]
    }
}