CVE-2022-49376 - Linux Kernel Vulnerability—NULL Pointer Dereference in SCSI sd_probe()

*CVE-2022-49376 is a lesser-known, yet significant vulnerability that affected the Linux kernel's SCSI subsystem. While the issue was patched in Linux, understanding its mechanics can help developers, sysadmins, and security enthusiasts appreciate both the importance of NULL pointer risk and safe kernel programming principles.*

What Is CVE-2022-49376?

CVE-2022-49376 describes a bug in the Linux kernel code responsible for handling SCSI disk (sd) devices. Specifically, the vulnerability arises from how error paths are managed within the sd_probe() function. In the event of an early error during device probing—before some critical fields are initialized—cleanup code would be called that didn't check if initialization actually happened. This resulted in the potential for a NULL pointer dereference (an attempt to access memory via a pointer that hasn't been properly set, which usually leads to a crash).

Where Did the Problem Happen?

In the SCSI disk implementation, the function sd_probe() is called when a new SCSI disk is being set up. If an early error happens and sdkp->device isn't set yet, the function attempted to run cleanup that depended on things initialized later—specifically, it called sd_zbc_release_disk() which expects valid structures to clean up.

Here’s a simplified representation of the problematic code

int sd_probe(struct device *dev)
{
    struct scsi_disk *sdkp;
    // ... lots of setup code ...

    if (some_error_condition) {
        sd_zbc_release_disk(sdkp);  // BAD: sdkp->device might not be valid!
        return -ENODEV;
    }

    // ... more setup and finish ...
}

In sd_zbc_release_disk(), there’s a call to sd_is_zoned(), which consults fields that might not be set if sd_probe() hasn’t finished all its work yet. That’s where the NULL pointer dereference happened.

How Was the Issue Fixed?

The kernel patch removed the buggy call to sd_zbc_release_disk() from the error path in sd_probe(). Why is this OK? Because the zone information (sd_zbc)—which this cleanup is meant to free—is only ever allocated after more setup is complete, specifically in sd_revalidate_disk(). So there’s no need to try to release this info on early exit: there’s nothing allocated yet.

Here’s the fix, excerpted from the patch (with comments)

// Before: would call cleanup even when unnecessary
if (setup_failed) {
    sd_zbc_release_disk(sdkp);  // Potential NULL deref!
    return -ENODEV;
}

// After: simply returns, as there’s nothing to clean up yet
if (setup_failed) {
    return -ENODEV;
}

This is a textbook example of why cleanup code in error paths must match allocations done up to that point and not exceed them.

Technical Details

- Vulnerable function: sd_probe() in drivers/scsi/sd.c
- Potential exploit: An attacker with the ability to trigger specific device errors during device probing could cause a kernel crash (Denial of Service) due to a NULL pointer dereference—most likely local, possibly via a crafted SCSI device.
- Patched in: Mainline Linux, see commit 3f793e2c5b42

References:

- LKML Patch Discussion
- Kernel.org Tree with Fix

Can This Be Exploited?

In theory, yes: any process that can trigger sd_probe() errors before full initialization could crash the kernel. In practice, this would likely require physical access or the ability to emulate a broken SCSI device (e.g. via a specially-crafted USB mass storage gadget). While less likely in standard desktop/server environments, it is a real concern for systems accepting arbitrary storage devices.

A simplified example "exploit" would involve (as root)

- Attaching a specially prepared storage device (e.g., SCSI/SATA/USB) that tricks the kernel into hitting the early error condition inside sd_probe().
- The kernel, failing to initialize all required data, hits the buggy cleanup path and dereferences a NULL pointer—leading to a kernel panic and system crash.

No code execution or privilege escalation is known—just denial of service.

Lessons for Developers

1. Cleanup only what you set up: Never call free/cleanup functions for items that haven’t been successfully initialized.
2. NULL pointer deref in kernel = system crash: Even a simple error handling path bug can cause a denial of service.

References & Further Reading

- Linux Kernel Patch
- Linux SCSI Subsystem Wiki
- CVE-2022-49376 at cve.org (if populated)

Conclusion

CVE-2022-49376 shows us that with complex, mature systems like the Linux kernel, subtle bugs in error handling—even those that sound obvious in hindsight—can and do slip through. Always be careful in your error paths, only clean up what you have properly set up, and don’t underestimate the risk from a simple NULL pointer dereference!

*Stay patched, and stay curious—these glimpses into the kernel’s inner workings help everyone write more robust and secure code.*

Timeline

Published on: 02/26/2025 07:01:14 UTC
Last modified on: 04/14/2025 20:37:57 UTC