CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48835 – scsi: mpt3sas: Page fault in reply q processing
https://notcve.org/view.php?id=CVE-2022-48835
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Page fault in reply q processing A page fault was encountered in mpt3sas on a LUN reset error path: [ 145.763216] mpt3sas_cm1: Task abort tm failed: handle(0x0002),timeout(30) tr_method(0x0) smid(3) msix_index(0) [ 145.778932] scsi 1:0:0:0: task abort: FAILED scmd(0x0000000024ba29a2) [ 145.817307] scsi 1:0:0:0: attempting device reset! scmd(0x0000000024ba29a2) [ 145.827253] scsi 1:0:0:0: [sg1] tag#2 CDB: Receive Diagnostic 1c... • https://git.kernel.org/stable/c/711a923c14d9a48d15a30a2c085184954bf04931 • CWE-763: Release of Invalid Pointer or Reference •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48834 – usb: usbtmc: Fix bug in pipe direction for control transfers
https://notcve.org/view.php?id=CVE-2022-48834
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Fix bug in pipe direction for control transfers The syzbot fuzzer reported a minor bug in the usbtmc driver: usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0 WARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412 usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 3813 Comm: syz-executor122 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 ... Call Trace:
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48833 – btrfs: skip reserved bytes warning on unmount after log cleanup failure
https://notcve.org/view.php?id=CVE-2022-48833
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: skip reserved bytes warning on unmount after log cleanup failure After the recent changes made by commit c2e39305299f01 ("btrfs: clear extent buffer uptodate when we fail to write it") and its followup fix, commit 651740a5024117 ("btrfs: check WRITE_ERR when trying to read an extent buffer"), we can now end up not cleaning up space reservations of log tree extent buffers after a transaction abort happens, as well as not cleaning up s... • https://git.kernel.org/stable/c/4c5d94990fa2fd609360ecd0f7e183212a7d115c •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48832 – audit: don't deref the syscall args when checking the openat2 open_how::flags
https://notcve.org/view.php?id=CVE-2022-48832
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: audit: don't deref the syscall args when checking the openat2 open_how::flags As reported by Jeff, dereferencing the openat2 syscall argument in audit_match_perm() to obtain the open_how::flags can result in an oops/page-fault. This patch fixes this by using the open_how struct that we store in the audit_context with audit_openat2_how(). Independent of this patch, Richard Guy Briggs posted a similar patch to the audit mailing list roughly 4... • https://git.kernel.org/stable/c/1c30e3af8a79260cdba833a719209b01e6b92300 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48831 – ima: fix reference leak in asymmetric_verify()
https://notcve.org/view.php?id=CVE-2022-48831
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: ima: fix reference leak in asymmetric_verify() Don't leak a reference to the key if its algorithm is unknown. • https://git.kernel.org/stable/c/947d70597236dd5ae65c1f68c8eabfb962ee5a6b •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48830 – can: isotp: fix potential CAN frame reception race in isotp_rcv()
https://notcve.org/view.php?id=CVE-2022-48830
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: can: isotp: fix potential CAN frame reception race in isotp_rcv() When receiving a CAN frame the current code logic does not consider concurrently receiving processes which do not show up in real world usage. Ziyang Xuan writes: The following syz problem is one of the scenarios. so->rx.len is changed by isotp_rcv_ff() during isotp_rcv_cf(), so->rx.len equals 0 before alloc_skb() and equals 4096 after alloc_skb(). That will trigger skb_over_... • https://git.kernel.org/stable/c/e057dd3fc20ffb3d7f150af46542a51b59b90127 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48829 – NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes
https://notcve.org/view.php?id=CVE-2022-48829
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes iattr::ia_size is a loff_t, so these NFSv3 procedures must be careful to deal with incoming client size values that are larger than s64_max without corrupting the value. Silently capping the value results in storing a different value than the client passed in which is unexpected behavior, so remove the min_t() check in decode_sattr3(). Note that RFC 1813 permits only the WRITE pr... • https://git.kernel.org/stable/c/a231ae6bb50e7c0a9e9efd7b0d10687f1d71b3a3 • CWE-253: Incorrect Check of Function Return Value •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48828 – NFSD: Fix ia_size underflow
https://notcve.org/view.php?id=CVE-2022-48828
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix ia_size underflow iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and NFSv4 both define file size as an unsigned 64-bit type. Thus there is a range of valid file size values an NFS client can send that is already larger than Linux can handle. Currently decode_fattr4() dumps a full u64 value into ia_size. If that value happens to be larger than S64_MAX, then ia_size underflows. • https://git.kernel.org/stable/c/38d02ba22e43b6fc7d291cf724bc6e3b7be6626b •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48827 – NFSD: Fix the behavior of READ near OFFSET_MAX
https://notcve.org/view.php?id=CVE-2022-48827
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix the behavior of READ near OFFSET_MAX Dan Aloni reports: > Due to commit 8cfb9015280d ("NFS: Always provide aligned buffers to > the RPC read layers") on the client, a read of 0xfff is aligned up > to server rsize of 0x1000. > > As a result, in a test where the server has a file of size > 0x7fffffffffffffff, and the client tries to read from the offset > 0x7ffffffffffff000, the read causes loff_t overflow in the server > and it ret... • https://git.kernel.org/stable/c/1726a39b0879acfb490b22dca643f26f4f907da9 • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48826 – drm/vc4: Fix deadlock on DSI device attach error
https://notcve.org/view.php?id=CVE-2022-48826
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix deadlock on DSI device attach error DSI device attach to DSI host will be done with host device's lock held. Un-registering host in "device attach" error path (ex: probe retry) will result in deadlock with below call trace and non operational DSI display. Startup Call trace: [ 35.043036] rt_mutex_slowlock.constprop.21+0x184/0x1b8 [ 35.043048] mutex_lock_nested+0x7c/0xc8 [ 35.043060] device_del+0x4c/0x3e8 [ 35.043075] device_unr... • https://git.kernel.org/stable/c/770d1ba9a8201ce9bee0946eb03746449b6f3b80 •