CVE-2022-48884 – net/mlx5: Fix command stats access after free
https://notcve.org/view.php?id=CVE-2022-48884
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix command stats access after free Command may fail while driver is reloading and can't accept FW commands till command interface is reinitialized. Such command failure is being logged to command stats. This results in NULL pointer access as command stats structure is being freed and reallocated during mlx5 devlink reload (see kernel log below). Fix it by making command stats statically allocated on driver probe. Kernel log: [ 2394.808802] BUG: unable to handle kernel paging request at 000000000002a9c0 [ 2394.810610] PGD 0 P4D 0 [ 2394.811811] Oops: 0002 [#1] SMP NOPTI ... [ 2394.815482] RIP: 0010:native_queued_spin_lock_slowpath+0x183/0x1d0 ... [ 2394.829505] Call Trace: [ 2394.830667] _raw_spin_lock_irq+0x23/0x26 [ 2394.831858] cmd_status_err+0x55/0x110 [mlx5_core] [ 2394.833020] mlx5_access_reg+0xe7/0x150 [mlx5_core] [ 2394.834175] mlx5_query_port_ptys+0x78/0xa0 [mlx5_core] [ 2394.835337] mlx5e_ethtool_get_link_ksettings+0x74/0x590 [mlx5_core] [ 2394.836454] ? kmem_cache_alloc_trace+0x140/0x1c0 [ 2394.837562] __rh_call_get_link_ksettings+0x33/0x100 [ 2394.838663] ? __rtnl_unlock+0x25/0x50 [ 2394.839755] __ethtool_get_link_ksettings+0x72/0x150 [ 2394.840862] duplex_show+0x6e/0xc0 [ 2394.841963] dev_attr_show+0x1c/0x40 [ 2394.843048] sysfs_kf_seq_show+0x9b/0x100 [ 2394.844123] seq_read+0x153/0x410 [ 2394.845187] vfs_read+0x91/0x140 [ 2394.846226] ksys_read+0x4f/0xb0 [ 2394.847234] do_syscall_64+0x5b/0x1a0 [ 2394.848228] entry_SYSCALL_64_after_hwframe+0x65/0xca • https://git.kernel.org/stable/c/34f46ae0d4b38e83cfb26fb6f06b5b5efea47fdc https://git.kernel.org/stable/c/ddf458641a511e7dff19f3bf0cbbc5dd9fe08ce5 https://git.kernel.org/stable/c/da2e552b469a0cd130ff70a88ccc4139da428a65 https://access.redhat.com/security/cve/CVE-2022-48884 https://bugzilla.redhat.com/show_bug.cgi?id=2306405 • CWE-416: Use After Free •
CVE-2022-48883 – net/mlx5e: IPoIB, Block PKEY interfaces with less rx queues than parent
https://notcve.org/view.php?id=CVE-2022-48883
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: IPoIB, Block PKEY interfaces with less rx queues than parent A user is able to configure an arbitrary number of rx queues when creating an interface via netlink. This doesn't work for child PKEY interfaces because the child interface uses the parent receive channels. Although the child shares the parent's receive channels, the number of rx queues is important for the channel_stats array: the parent's rx channel index is used to access the child's channel_stats. So the array has to be at least as large as the parent's rx queue size for the counting to work correctly and to prevent out of bound accesses. This patch checks for the mentioned scenario and returns an error when trying to create the interface. The error is propagated to the user. • https://git.kernel.org/stable/c/be98737a4faa3a0dc1781ced5bbf5c47865e29d7 https://git.kernel.org/stable/c/5844a46f09f768da866d6b0ffbf1a9073266bf24 https://git.kernel.org/stable/c/31c70bfe58ef09fe36327ddcced9143a16e9e83d •
CVE-2022-48882 – net/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY)
https://notcve.org/view.php?id=CVE-2022-48882
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY) Upon updating MAC security entity (SecY) in hw offload path, the macsec security association (SA) initialization routine is called. In case of extended packet number (epn) is enabled the salt and ssci attributes are retrieved using the MACsec driver rx_sa context which is unavailable when updating a SecY property such as encoding-sa hence the null dereference. Fix by using the provided SA to set those attributes. • https://git.kernel.org/stable/c/4411a6c0abd3e55b4a4fb9432b3a0553f12337c2 https://git.kernel.org/stable/c/514d9c6a39213d8200884e70f60ce7faef1ee597 https://git.kernel.org/stable/c/9828994ac492e8e7de47fe66097b7e665328f348 •
CVE-2022-48881 – platform/x86/amd: Fix refcount leak in amd_pmc_probe
https://notcve.org/view.php?id=CVE-2022-48881
In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd: Fix refcount leak in amd_pmc_probe pci_get_domain_bus_and_slot() takes reference, the caller should release the reference by calling pci_dev_put() after use. Call pci_dev_put() in the error path to fix this. • https://git.kernel.org/stable/c/3d7d407dfb05b257e15cb0c6b056428a4a8c2e5d https://git.kernel.org/stable/c/3944162821295993ec89992dec98ab6be6306cc0 https://git.kernel.org/stable/c/ccb32e2be14271a60e9ba89c6d5660cc9998773c •
CVE-2022-48880 – platform/surface: aggregator: Add missing call to ssam_request_sync_free()
https://notcve.org/view.php?id=CVE-2022-48880
In the Linux kernel, the following vulnerability has been resolved: platform/surface: aggregator: Add missing call to ssam_request_sync_free() Although rare, ssam_request_sync_init() can fail. In that case, the request should be freed via ssam_request_sync_free(). Currently it is leaked instead. Fix this. • https://git.kernel.org/stable/c/c167b9c7e3d6131b4a4865c112a3dbc86d2e997d https://git.kernel.org/stable/c/d2dc110deabe7142b60ebeed689e67f92795ee24 https://git.kernel.org/stable/c/50b3cdf8239b11545f311c4f7b89e0092e4feedb https://git.kernel.org/stable/c/c965daac370f08a9b71d573a71d13cda76f2a884 •