CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48831 – ima: fix reference leak in asymmetric_verify()
https://notcve.org/view.php?id=CVE-2022-48831
In the Linux kernel, the following vulnerability has been resolved: ima: fix reference leak in asymmetric_verify() Don't leak a reference to the key if its algorithm is unknown. • https://git.kernel.org/stable/c/947d70597236dd5ae65c1f68c8eabfb962ee5a6b https://git.kernel.org/stable/c/0838d6d68182f0b28a5434bc6d50727c4757e35b https://git.kernel.org/stable/c/89f586d3398f4cc0432ed870949dffb702940754 https://git.kernel.org/stable/c/926fd9f23b27ca6587492c3f58f4c7f4cd01dad5 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48830 – can: isotp: fix potential CAN frame reception race in isotp_rcv()
https://notcve.org/view.php?id=CVE-2022-48830
In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix potential CAN frame reception race in isotp_rcv() When receiving a CAN frame the current code logic does not consider concurrently receiving processes which do not show up in real world usage. Ziyang Xuan writes: The following syz problem is one of the scenarios. so->rx.len is changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals 0 before alloc_skb() and equals 4096 after alloc_skb(). That will trigger skb_over_panic() in skb_put(). ======================================================= CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc8-syzkaller #0 RIP: 0010:skb_panic+0x16c/0x16e net/core/skbuff.c:113 Call Trace: <TASK> skb_over_panic net/core/skbuff.c:118 [inline] skb_put.cold+0x24/0x24 net/core/skbuff.c:1990 isotp_rcv_cf net/can/isotp.c:570 [inline] isotp_rcv+0xa38/0x1e30 net/can/isotp.c:668 deliver net/can/af_can.c:574 [inline] can_rcv_filter+0x445/0x8d0 net/can/af_can.c:635 can_receive+0x31d/0x580 net/can/af_can.c:665 can_rcv+0x120/0x1c0 net/can/af_can.c:696 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5465 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5579 Therefore we make sure the state changes and data structures stay consistent at CAN frame reception time by adding a spin_lock in isotp_rcv(). This fixes the issue reported by syzkaller but does not affect real world operation. • https://git.kernel.org/stable/c/e057dd3fc20ffb3d7f150af46542a51b59b90127 https://git.kernel.org/stable/c/7b53d2204ce79b27a878074a77d64f40ec21dbca https://git.kernel.org/stable/c/f90cc68f9f4b5d8585ad5d0a206a9d37ac299ef3 https://git.kernel.org/stable/c/5b068f33bc8acfcfd5ea7992a2dafb30d89bad30 https://git.kernel.org/stable/c/7c759040c1dd03954f650f147ae7175476d51314 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48829 – NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes
https://notcve.org/view.php?id=CVE-2022-48829
In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes iattr::ia_size is a loff_t, so these NFSv3 procedures must be careful to deal with incoming client size values that are larger than s64_max without corrupting the value. Silently capping the value results in storing a different value than the client passed in which is unexpected behavior, so remove the min_t() check in decode_sattr3(). Note that RFC 1813 permits only the WRITE procedure to return NFS3ERR_FBIG. We believe that NFSv3 reference implementations also return NFS3ERR_FBIG when ia_size is too large. • https://git.kernel.org/stable/c/a231ae6bb50e7c0a9e9efd7b0d10687f1d71b3a3 https://git.kernel.org/stable/c/37f2d2cd8eadddbbd9c7bda327a9393399b2f89b https://git.kernel.org/stable/c/aa9051ddb4b378bd22e72a67bc77b9fc1482c5f0 https://git.kernel.org/stable/c/a648fdeb7c0e17177a2280344d015dba3fbe3314 https://access.redhat.com/security/cve/CVE-2022-48829 https://bugzilla.redhat.com/show_bug.cgi?id=2298168 • CWE-253: Incorrect Check of Function Return Value •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48828 – NFSD: Fix ia_size underflow
https://notcve.org/view.php?id=CVE-2022-48828
In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix ia_size underflow iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and NFSv4 both define file size as an unsigned 64-bit type. Thus there is a range of valid file size values an NFS client can send that is already larger than Linux can handle. Currently decode_fattr4() dumps a full u64 value into ia_size. If that value happens to be larger than S64_MAX, then ia_size underflows. I'm about to fix up the NFSv3 behavior as well, so let's catch the underflow in the common code path: nfsd_setattr(). • https://git.kernel.org/stable/c/38d02ba22e43b6fc7d291cf724bc6e3b7be6626b https://git.kernel.org/stable/c/8e0ecaf7a7e57b30284d6b3289cc436100fadc48 https://git.kernel.org/stable/c/da22ca1ad548429d7822011c54cfe210718e0aa7 https://git.kernel.org/stable/c/e6faac3f58c7c4176b66f63def17a34232a17b0e https://access.redhat.com/security/cve/CVE-2022-48828 https://bugzilla.redhat.com/show_bug.cgi?id=2298167 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48827 – NFSD: Fix the behavior of READ near OFFSET_MAX
https://notcve.org/view.php?id=CVE-2022-48827
In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix the behavior of READ near OFFSET_MAX Dan Aloni reports: > Due to commit 8cfb9015280d ("NFS: Always provide aligned buffers to > the RPC read layers") on the client, a read of 0xfff is aligned up > to server rsize of 0x1000. > > As a result, in a test where the server has a file of size > 0x7fffffffffffffff, and the client tries to read from the offset > 0x7ffffffffffff000, the read causes loff_t overflow in the server > and it returns an NFS code of EINVAL to the client. The client as > a result indefinitely retries the request. The Linux NFS client does not handle NFS?ERR_INVAL, even though all NFS specifications permit servers to return that status code for a READ. Instead of NFS?ERR_INVAL, have out-of-range READ requests succeed and return a short result. Set the EOF flag in the result to prevent the client from retrying the READ request. • https://git.kernel.org/stable/c/1726a39b0879acfb490b22dca643f26f4f907da9 https://git.kernel.org/stable/c/c6eff5c4277146a78b4fb8c9b668dd64542c41b0 https://git.kernel.org/stable/c/44502aca8e02ab32d6b0eb52e006a5ec9402719b https://git.kernel.org/stable/c/0cb4d23ae08c48f6bf3c29a8e5c4a74b8388b960 https://access.redhat.com/security/cve/CVE-2022-48827 https://bugzilla.redhat.com/show_bug.cgi?id=2298166 • CWE-125: Out-of-bounds Read •