CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2022-48924 – thermal: int340x: fix memory leak in int3400_notify()
https://notcve.org/view.php?id=CVE-2022-48924
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: thermal: int340x: fix memory leak in int3400_notify() It is easy to hit the below memory leaks in my TigerLake platform: unreferenced object 0xffff927c8b91dbc0 (size 32): comm "kworker/0:2", pid 112, jiffies 4294893323 (age 83.604s) hex dump (first 32 bytes): 4e 41 4d 45 3d 49 4e 54 33 34 30 30 20 54 68 65 NAME=INT3400 The 72 6d 61 6c 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 rmal.kkkkkkkkkk. backtrace: [
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48923 – btrfs: prevent copying too big compressed lzo segment
https://notcve.org/view.php?id=CVE-2022-48923
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: prevent copying too big compressed lzo segment Compressed length can be corrupted to be a lot larger than memory we have allocated for buffer. This will cause memcpy in copy_compressed_segment to write outside of allocated memory. This mostly results in stuck read syscall but sometimes when using btrfs send can get #GP kernel: general protection fault, probably for non-canonical address 0x841551d5c1000: 0000 [#1] PREEMPT SMP NOPTI ke... • https://git.kernel.org/stable/c/8df508b7a44cd8110c726057cd28e8f8116885eb •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48922 – riscv: fix oops caused by irqsoff latency tracer
https://notcve.org/view.php?id=CVE-2022-48922
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: riscv: fix oops caused by irqsoff latency tracer The trace_hardirqs_{on,off}() require the caller to setup frame pointer properly. This because these two functions use macro 'CALLER_ADDR1' (aka. __builtin_return_address(1)) to acquire caller info. If the $fp is used for other purpose, the code generated this macro (as below) could trigger memory access fault. 0xffffffff8011510e <+80>: ld a1,-16(s0) 0xffffffff80115112 <+84>: ld s2,-8(a1) # <... • https://git.kernel.org/stable/c/3c46979829824da5af8766d89fa877976bdae884 •
CVSS: 4.7EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48921 – sched/fair: Fix fault in reweight_entity
https://notcve.org/view.php?id=CVE-2022-48921
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix fault in reweight_entity Syzbot found a GPF in reweight_entity. This has been bisected to commit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an invalid sched_task_group") There is a race between sched_post_fork() and setpriority(PRIO_PGRP) within a thread group that causes a null-ptr-deref in reweight_entity() in CFS. The scenario is that the main process spawns number of new threads, which then call setpriority(PRI... • https://git.kernel.org/stable/c/c85c6fadbef0a3eab41540ea628fa8fe8928c820 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48920 – btrfs: get rid of warning on transaction commit when using flushoncommit
https://notcve.org/view.php?id=CVE-2022-48920
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: get rid of warning on transaction commit when using flushoncommit When using the flushoncommit mount option, during almost every transaction commit we trigger a warning from __writeback_inodes_sb_nr(): $ cat fs/fs-writeback.c: (...) static void __writeback_inodes_sb_nr(struct super_block *sb, ... { (...) WARN_ON(!rwsem_is_locked(&sb->s_umount)); (...) } (...) The trace produced in dmesg looks like the following: [947.473890] WARNING:... • https://git.kernel.org/stable/c/850a77c999b81dd2724efd2684068d6f90db8c16 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48919 – cifs: fix double free race when mount fails in cifs_get_root()
https://notcve.org/view.php?id=CVE-2022-48919
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: cifs: fix double free race when mount fails in cifs_get_root() When cifs_get_root() fails during cifs_smb3_do_mount() we call deactivate_locked_super() which eventually will call delayed_free() which will free the context. In this situation we should not proceed to enter the out: section in cifs_smb3_do_mount() and free the same resources a second time. [Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcu_cblist_dequeue+0x32/0x60 [T... • https://git.kernel.org/stable/c/da834d6c1147c7519a9e55b510a03b7055104749 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48918 – iwlwifi: mvm: check debugfs_dir ptr before use
https://notcve.org/view.php?id=CVE-2022-48918
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: iwlwifi: mvm: check debugfs_dir ptr before use When "debugfs=off" is used on the kernel command line, iwiwifi's mvm module uses an invalid/unchecked debugfs_dir pointer and causes a BUG: BUG: kernel NULL pointer dereference, address: 000000000000004f #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 503 Comm: modprobe Tainted: G W 5.17.0-rc5 #7 Hardware ... • https://git.kernel.org/stable/c/8c082a99edb997d7999eb7cdb648e47a2bf4a638 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48916 – iommu/vt-d: Fix double list_add when enabling VMD in scalable mode
https://notcve.org/view.php?id=CVE-2022-48916
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix double list_add when enabling VMD in scalable mode When enabling VMD and IOMMU scalable mode, the following kernel panic call trace/kernel log is shown in Eagle Stream platform (Sapphire Rapids CPU) during booting: pci 0000:59:00.5: Adding to iommu group 42 ... vmd 0000:59:00.5: PCI host bridge to bus 10000:80 pci 10000:80:01.0: [8086:352a] type 01 class 0x060400 pci 10000:80:01.0: reg 0x10: [mem 0x00000000-0x0001ffff 64bit]... • https://git.kernel.org/stable/c/474dd1c6506411752a9b2f2233eec11f1733a099 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48915 – thermal: core: Fix TZ_GET_TRIP NULL pointer dereference
https://notcve.org/view.php?id=CVE-2022-48915
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix TZ_GET_TRIP NULL pointer dereference Do not call get_trip_hyst() from thermal_genl_cmd_tz_get_trip() if the thermal zone does not define one. In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix TZ_GET_TRIP NULL pointer dereference Do not call get_trip_hyst() from thermal_genl_cmd_tz_get_trip() if the thermal zone does not define one. • https://git.kernel.org/stable/c/1ce50e7d408ef2bdc8ca021363fd46d1b8bfad00 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48913 – blktrace: fix use after free for struct blk_trace
https://notcve.org/view.php?id=CVE-2022-48913
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: blktrace: fix use after free for struct blk_trace When tracing the whole disk, 'dropped' and 'msg' will be created under 'q->debugfs_dir' and 'bt->dir' is NULL, thus blk_trace_free() won't remove those files. What's worse, the following UAF can be triggered because of accessing stale 'dropped' and 'msg': ================================================================== BUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100 Read of size ... • https://git.kernel.org/stable/c/c0ea57608b691d6cde8aff23e11f9858a86b5918 •