CVE-2022-48755 – powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06
https://notcve.org/view.php?id=CVE-2022-48755
In the Linux kernel, the following vulnerability has been resolved: powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06 Johan reported the below crash with test_bpf on ppc64 e5500: test_bpf: #296 ALU_END_FROM_LE 64: 0x0123456789abcdef -> 0x67452301 jited:1 Oops: Exception in kernel mode, sig: 4 [#1] BE PAGE_SIZE=4K SMP NR_CPUS=24 QEMU e500 Modules linked in: test_bpf(+) CPU: 0 PID: 76 Comm: insmod Not tainted 5.14.0-03771-g98c2059e008a-dirty #1 NIP: 8000000000061c3c LR: 80000000006dea64 CTR: 8000000000061c18 REGS: c0000000032d3420 TRAP: 0700 Not tainted (5.14.0-03771-g98c2059e008a-dirty) MSR: 0000000080089000 <EE,ME> CR: 88002822 XER: 20000000 IRQMASK: 0 <...> NIP [8000000000061c3c] 0x8000000000061c3c LR [80000000006dea64] .__run_one+0x104/0x17c [test_bpf] Call Trace: .__run_one+0x60/0x17c [test_bpf] (unreliable) .test_bpf_init+0x6a8/0xdc8 [test_bpf] .do_one_initcall+0x6c/0x28c .do_init_module+0x68/0x28c .load_module+0x2460/0x2abc .__do_sys_init_module+0x120/0x18c .system_call_exception+0x110/0x1b8 system_call_common+0xf0/0x210 --- interrupt: c00 at 0x101d0acc <... • https://git.kernel.org/stable/c/156d0e290e969caba25f1851c52417c14d141b24 https://git.kernel.org/stable/c/129c71829d7f46423d95c19e8d87ce956d4c6e1c https://git.kernel.org/stable/c/3bfbc00587dc883eaed383558ae512a351c2cd09 https://git.kernel.org/stable/c/aaccfeeee1630b155e8ff0d6c449d3de1ef86e73 https://git.kernel.org/stable/c/3f5f766d5f7f95a69a630da3544a1a0cee1cdddf •
CVE-2022-48754 – phylib: fix potential use-after-free
https://notcve.org/view.php?id=CVE-2022-48754
In the Linux kernel, the following vulnerability has been resolved: phylib: fix potential use-after-free Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call to phy_device_reset(phydev) after the put_device() call in phy_detach(). The comment before the put_device() call says that the phydev might go away with put_device(). Fix potential use-after-free by calling phy_device_reset() before put_device(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: phylib: corrige el posible use-after-free. Commit bafbdd527d56 ("phylib: agregue soporte GPIO para restablecer el dispositivo") se agregó una llamada a phy_device_reset(phydev) después de la llamada put_device() en phy_detach( ). El comentario antes de la llamada put_device() dice que phydev podría desaparecer con put_device(). Solucione el posible use-after-free llamando a phy_device_reset() antes de put_device(). • https://git.kernel.org/stable/c/bafbdd527d569c8200521f2f7579f65a044271be https://git.kernel.org/stable/c/67d271760b037ce0806d687ee6057edc8afd4205 https://git.kernel.org/stable/c/f39027cbada43b33566c312e6be3db654ca3ad17 https://git.kernel.org/stable/c/bd024e36f68174b1793906c39ca16cee0c9295c2 https://git.kernel.org/stable/c/aefaccd19379d6c4620269a162bfb88ff687f289 https://git.kernel.org/stable/c/cb2fab10fc5e7a3aa1bb0a68a3abdcf3e37852af https://git.kernel.org/stable/c/cbda1b16687580d5beee38273f6241ae3725960c https://access.redhat.com/security/cve/CVE-2022-48754 • CWE-416: Use After Free •
CVE-2022-48751 – net/smc: Transitional solution for clcsock race issue
https://notcve.org/view.php?id=CVE-2022-48751
In the Linux kernel, the following vulnerability has been resolved: net/smc: Transitional solution for clcsock race issue We encountered a crash in smc_setsockopt() and it is caused by accessing smc->clcsock after clcsock was released. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 50309 Comm: nginx Kdump: loaded Tainted: G E 5.16.0-rc4+ #53 RIP: 0010:smc_setsockopt+0x59/0x280 [smc] Call Trace: <TASK> __sys_setsockopt+0xfc/0x190 __x64_sys_setsockopt+0x20/0x30 do_syscall_64+0x34/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f16ba83918e </TASK> This patch tries to fix it by holding clcsock_release_lock and checking whether clcsock has already been released before access. In case that a crash of the same reason happens in smc_getsockopt() or smc_switch_to_fallback(), this patch also checkes smc->clcsock in them too. And the caller of smc_switch_to_fallback() will identify whether fallback succeeds according to the return value. • https://git.kernel.org/stable/c/fd57770dd198f5b2ddd5b9e6bf282cf98d63adb9 https://git.kernel.org/stable/c/d1d004585b40c212b338fc8a40cbaaf230ea4703 https://git.kernel.org/stable/c/38f0bdd548fd2ef5d481b88d8a2bfef968452e34 https://git.kernel.org/stable/c/4284225cd8001e134f5cf533a7cd244bbb654d0f https://git.kernel.org/stable/c/c0bf3d8a943b6f2e912b7c1de03e2ef28e76f760 •
CVE-2022-48749 – drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc
https://notcve.org/view.php?id=CVE-2022-48749
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc The function performs a check on the "ctx" input parameter, however, it is used before the check. Initialize the "base" variable after the sanity check to avoid a possible NULL pointer dereference. Addresses-Coverity-ID: 1493866 ("Null pointer dereference") • https://git.kernel.org/stable/c/4259ff7ae509ed880b3a7bb685972c3a3bf4b74b https://git.kernel.org/stable/c/93a6e920d8ccb4df846c03b6e72f7e08843d294c https://git.kernel.org/stable/c/8f069f6dde518dfebe86e848508c07e497bd9298 https://git.kernel.org/stable/c/1ebc18836d5df09061657f8c548e594cbb519476 https://git.kernel.org/stable/c/170b22234d5495f5e0844246e23f004639ee89ba •
CVE-2022-48748 – net: bridge: vlan: fix memory leak in __allowed_ingress
https://notcve.org/view.php?id=CVE-2022-48748
In the Linux kernel, the following vulnerability has been resolved: net: bridge: vlan: fix memory leak in __allowed_ingress When using per-vlan state, if vlan snooping and stats are disabled, untagged or priority-tagged ingress frame will go to check pvid state. If the port state is forwarding and the pvid state is not learning/forwarding, untagged or priority-tagged frame will be dropped but skb memory is not freed. Should free skb when __allowed_ingress returns false. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: net: bridge: vlan: corrige la pérdida de memoria en __allowed_ingress Cuando se usa el estado por VLAN, si la vigilancia de VLAN y las estadísticas están deshabilitadas, el marco de ingreso sin etiquetar o con etiqueta de prioridad irá a verificar pvid estado. Si el estado del puerto está reenviando y el estado del pvid no está aprendiendo/reenviando, se descartará la trama sin etiquetar o con etiqueta de prioridad, pero no se liberará la memoria skb. Debería liberar skb cuando __allowed_ingress devuelva falso. • https://git.kernel.org/stable/c/a580c76d534c7360ba68042b19cb255e8420e987 https://git.kernel.org/stable/c/446ff1fc37c74093e81db40811a07b5a19f1d797 https://git.kernel.org/stable/c/c5e216e880fa6f2cd9d4a6541269377657163098 https://git.kernel.org/stable/c/14be8d448fca6fe7b2a413831eedd55aef6c6511 https://git.kernel.org/stable/c/fd20d9738395cf8e27d0a17eba34169699fccdff • CWE-400: Uncontrolled Resource Consumption •