CVE-2022-50840

Vulnerability

Analysis

The Linux kernel's SNIC (Samsung NVM Express over Fabrics Initiator) driver contains a use-after-free (UAF) vulnerability in the snic_tgt_create() function in drivers/scsi/snic/snic_disc.c. The issue arises when device_add() fails — the allocated target structure (tgt) is freed, but the tgt->list entry is not removed from the snic->disc.tgt_list linked list [1][2][3][4]. This leaves a dangling list element pointing to freed memory.

Exploitation

To trigger this vulnerability, an attacker would need to cause device_add() to fail within snic_tgt_create(). This could happen, for example, if the system runs out of memory or if a device number conflict occurs. Once the structure is freed but remains on the list, any subsequent traversal of tgt_list (e.g., during discovery or other operations) will dereference a freed tgt pointer, leading to a use-after-free. No specific prerequisites beyond local access are mentioned, but exploitation likely requires some ability to influence device enumeration or trigger resource exhaustion.

Impact

A successful exploit could allow an attacker to cause a kernel crash (denial of service) or potentially achieve arbitrary code execution due to the UAF condition. The vulnerability could lead to privilege escalation if triggered from a less privileged context, though the attack surface is limited attack surface makes remote exploitation unlikely without prior access to the system.

Mitigation

The fix, introduced in the Linux kernel stable tree, removes the tgt from snic->disc.tgt_list before calling kfree() on failure, ensuring the list remains consistent [1][2][3][4]. Users should apply the patched kernel version containing the commit that addresses this issue.