CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48874 – misc: fastrpc: Fix use-after-free and race in fastrpc_map_find
https://notcve.org/view.php?id=CVE-2022-48874
In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix use-after-free and race in fastrpc_map_find Currently, there is a race window between the point when the mutex is unlocked in fastrpc_map_lookup and the reference count increasing (fastrpc_map_get) in fastrpc_map_find, which can also lead to use-after-free. So lets merge fastrpc_map_find into fastrpc_map_lookup which allows us to both protect the maps list by also taking the &fl->lock spinlock and the reference count, since the spinlock will be released only after. Add take_ref argument to make this suitable for all callers. • https://git.kernel.org/stable/c/8f6c1d8c4f0cc316b0456788fff8373554d1d99d https://git.kernel.org/stable/c/a50c5c25b6e7d2824698c0e6385f882a18f4a498 https://git.kernel.org/stable/c/9446fa1683a7e3937d9970248ced427c1983a1c5 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2022-48873 – misc: fastrpc: Don't remove map on creater_process and device_release
https://notcve.org/view.php?id=CVE-2022-48873
In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Don't remove map on creater_process and device_release Do not remove the map from the list on error path in fastrpc_init_create_process, instead call fastrpc_map_put, to avoid use-after-free. • https://git.kernel.org/stable/c/b49f6d83e290f17e20f4e5cf31288d3bb4955ea6 https://git.kernel.org/stable/c/aaf5aa44934ad069cac805923c49f6968b9a0d49 https://git.kernel.org/stable/c/4b5c44e924a571d0ad07054de549624fbc04e4d7 https://git.kernel.org/stable/c/193cd853145b63e670bd73740250983af1475330 https://git.kernel.org/stable/c/1b7b7bb400dd13dcb03fc6e591bb7ca4664bbec8 https://git.kernel.org/stable/c/35ddd482345c43d9eec1f3406c0f20a95ed4054b https://git.kernel.org/stable/c/5bb96c8f9268e2fdb0e5321cbc358ee5941efc15 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48872 – misc: fastrpc: Fix use-after-free race condition for maps
https://notcve.org/view.php?id=CVE-2022-48872
In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix use-after-free race condition for maps It is possible that in between calling fastrpc_map_get() until map->fl->lock is taken in fastrpc_free_map(), another thread can call fastrpc_map_lookup() and get a reference to a map that is about to be deleted. Rewrite fastrpc_map_get() to only increase the reference count of a map if it's non-zero. • https://git.kernel.org/stable/c/c68cfb718c8f97b7f7a50ed66be5feb42d0c8988 https://git.kernel.org/stable/c/556dfdb226ce1e5231d8836159b23f8bb0395bf4 https://git.kernel.org/stable/c/b171d0d2cf1b8387c72c8d325c5d5746fa271e39 https://git.kernel.org/stable/c/61a0890cb95afec5c8a2f4a879de2b6220984ef1 https://git.kernel.org/stable/c/079c78c68714f7d8d58e66c477b0243b31806907 https://git.kernel.org/stable/c/96b328d119eca7563c1edcc4e1039a62e6370ecb •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48871 – tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer
https://notcve.org/view.php?id=CVE-2022-48871
In the Linux kernel, the following vulnerability has been resolved: tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on default RX FIFO depth, e.g. 16. • https://git.kernel.org/stable/c/f9d690b6ece7ec9a6ff6b588df95a010ab2d66f9 https://git.kernel.org/stable/c/894681682dbefdad917b88f86cde1069140a047a https://git.kernel.org/stable/c/cb53a3366eb28fed67850c80afa52075bb71a38a https://git.kernel.org/stable/c/fd524ca7fe45b8a06dca2dd546d62684a9768f95 https://git.kernel.org/stable/c/b8caf69a6946e18ffebad49847e258f5b6d52ac2 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48870 – tty: fix possible null-ptr-defer in spk_ttyio_release
https://notcve.org/view.php?id=CVE-2022-48870
In the Linux kernel, the following vulnerability has been resolved: tty: fix possible null-ptr-defer in spk_ttyio_release Run the following tests on the qemu platform: syzkaller:~# modprobe speakup_audptr input: Speakup as /devices/virtual/input/input4 initialized device: /dev/synth, node (MAJOR 10, MINOR 125) speakup 3.1.6: initialized synth name on entry is: (null) synth probe spk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned failed (errno -16), then remove the module, we will get a null-ptr-defer problem, as follow: syzkaller:~# modprobe -r speakup_audptr releasing synth audptr BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1 RIP: 0010:mutex_lock+0x14/0x30 Call Trace: <TASK> spk_ttyio_release+0x19/0x70 [speakup] synth_release.part.6+0xac/0xc0 [speakup] synth_remove+0x56/0x60 [speakup] __x64_sys_delete_module+0x156/0x250 ? • https://git.kernel.org/stable/c/4f2a81f3a88217e7340b2cab5c0a5ebd0112514c https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5 •