CVE-2022-48755 – powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06
https://notcve.org/view.php?id=CVE-2022-48755
In the Linux kernel, the following vulnerability has been resolved: powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06 Johan reported the below crash with test_bpf on ppc64 e5500: test_bpf: #296 ALU_END_FROM_LE 64: 0x0123456789abcdef -> 0x67452301 jited:1 Oops: Exception in kernel mode, sig: 4 [#1] BE PAGE_SIZE=4K SMP NR_CPUS=24 QEMU e500 Modules linked in: test_bpf(+) CPU: 0 PID: 76 Comm: insmod Not tainted 5.14.0-03771-g98c2059e008a-dirty #1 NIP: 8000000000061c3c LR: 80000000006dea64 CTR: 8000000000061c18 REGS: c0000000032d3420 TRAP: 0700 Not tainted (5.14.0-03771-g98c2059e008a-dirty) MSR: 0000000080089000 <EE,ME> CR: 88002822 XER: 20000000 IRQMASK: 0 <...> NIP [8000000000061c3c] 0x8000000000061c3c LR [80000000006dea64] .__run_one+0x104/0x17c [test_bpf] Call Trace: .__run_one+0x60/0x17c [test_bpf] (unreliable) .test_bpf_init+0x6a8/0xdc8 [test_bpf] .do_one_initcall+0x6c/0x28c .do_init_module+0x68/0x28c .load_module+0x2460/0x2abc .__do_sys_init_module+0x120/0x18c .system_call_exception+0x110/0x1b8 system_call_common+0xf0/0x210 --- interrupt: c00 at 0x101d0acc <... • https://git.kernel.org/stable/c/156d0e290e969caba25f1851c52417c14d141b24 https://git.kernel.org/stable/c/129c71829d7f46423d95c19e8d87ce956d4c6e1c https://git.kernel.org/stable/c/3bfbc00587dc883eaed383558ae512a351c2cd09 https://git.kernel.org/stable/c/aaccfeeee1630b155e8ff0d6c449d3de1ef86e73 https://git.kernel.org/stable/c/3f5f766d5f7f95a69a630da3544a1a0cee1cdddf •
CVE-2022-48754 – phylib: fix potential use-after-free
https://notcve.org/view.php?id=CVE-2022-48754
In the Linux kernel, the following vulnerability has been resolved: phylib: fix potential use-after-free Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added call to phy_device_reset(phydev) after the put_device() call in phy_detach(). The comment before the put_device() call says that the phydev might go away with put_device(). Fix potential use-after-free by calling phy_device_reset() before put_device(). En el kernel de Linux, se resolvió la siguiente vulnerabilidad: phylib: corrige el posible use-after-free. Commit bafbdd527d56 ("phylib: agregue soporte GPIO para restablecer el dispositivo") se agregó una llamada a phy_device_reset(phydev) después de la llamada put_device() en phy_detach( ). El comentario antes de la llamada put_device() dice que phydev podría desaparecer con put_device(). Solucione el posible use-after-free llamando a phy_device_reset() antes de put_device(). • https://git.kernel.org/stable/c/bafbdd527d569c8200521f2f7579f65a044271be https://git.kernel.org/stable/c/67d271760b037ce0806d687ee6057edc8afd4205 https://git.kernel.org/stable/c/f39027cbada43b33566c312e6be3db654ca3ad17 https://git.kernel.org/stable/c/bd024e36f68174b1793906c39ca16cee0c9295c2 https://git.kernel.org/stable/c/aefaccd19379d6c4620269a162bfb88ff687f289 https://git.kernel.org/stable/c/cb2fab10fc5e7a3aa1bb0a68a3abdcf3e37852af https://git.kernel.org/stable/c/cbda1b16687580d5beee38273f6241ae3725960c https://access.redhat.com/security/cve/CVE-2022-48754 • CWE-416: Use After Free •
CVE-2022-48753 – block: fix memory leak in disk_register_independent_access_ranges
https://notcve.org/view.php?id=CVE-2022-48753
In the Linux kernel, the following vulnerability has been resolved: block: fix memory leak in disk_register_independent_access_ranges kobject_init_and_add() takes reference even when it fails. According to the doc of kobject_init_and_add() If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Fix this issue by adding kobject_put(). Callback function blk_ia_ranges_sysfs_release() in kobject_put() can handle the pointer "iars" properly. • https://git.kernel.org/stable/c/a2247f19ee1c5ad75ef095cdfb909a3244b88aa8 https://git.kernel.org/stable/c/fe4214a07e0b53d2af711f57519e33739c5df23f https://git.kernel.org/stable/c/83114df32ae779df57e0af99a8ba6c3968b2ba3d •
CVE-2022-48751 – net/smc: Transitional solution for clcsock race issue
https://notcve.org/view.php?id=CVE-2022-48751
In the Linux kernel, the following vulnerability has been resolved: net/smc: Transitional solution for clcsock race issue We encountered a crash in smc_setsockopt() and it is caused by accessing smc->clcsock after clcsock was released. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 50309 Comm: nginx Kdump: loaded Tainted: G E 5.16.0-rc4+ #53 RIP: 0010:smc_setsockopt+0x59/0x280 [smc] Call Trace: <TASK> __sys_setsockopt+0xfc/0x190 __x64_sys_setsockopt+0x20/0x30 do_syscall_64+0x34/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f16ba83918e </TASK> This patch tries to fix it by holding clcsock_release_lock and checking whether clcsock has already been released before access. In case that a crash of the same reason happens in smc_getsockopt() or smc_switch_to_fallback(), this patch also checkes smc->clcsock in them too. And the caller of smc_switch_to_fallback() will identify whether fallback succeeds according to the return value. • https://git.kernel.org/stable/c/fd57770dd198f5b2ddd5b9e6bf282cf98d63adb9 https://git.kernel.org/stable/c/d1d004585b40c212b338fc8a40cbaaf230ea4703 https://git.kernel.org/stable/c/38f0bdd548fd2ef5d481b88d8a2bfef968452e34 https://git.kernel.org/stable/c/4284225cd8001e134f5cf533a7cd244bbb654d0f https://git.kernel.org/stable/c/c0bf3d8a943b6f2e912b7c1de03e2ef28e76f760 •
CVE-2022-48750 – hwmon: (nct6775) Fix crash in clear_caseopen
https://notcve.org/view.php?id=CVE-2022-48750
In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct6775) Fix crash in clear_caseopen Pawe? Marciniak reports the following crash, observed when clearing the chassis intrusion alarm. BUG: kernel NULL pointer dereference, address: 0000000000000028 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 4815 Comm: bash Tainted: G S 5.16.2-200.fc35.x86_64 #1 Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P2.60A 05/03/2018 RIP: 0010:clear_caseopen+0x5a/0x120 [nct6775] Code: 68 70 e8 e9 32 b1 e3 85 c0 0f 85 d2 00 00 00 48 83 7c 24 ... RSP: 0018:ffffabcb02803dd8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: ffff8e8808192880 RSI: 0000000000000000 RDI: ffff8e87c7509a68 RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000000a R10: 000000000000000a R11: f000000000000000 R12: 000000000000001f R13: ffff8e87c7509828 R14: ffff8e87c7509a68 R15: ffff8e88494527a0 FS: 00007f4db9151740(0000) GS:ffff8e8ebfec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000166b66001 CR4: 00000000001706e0 Call Trace: <TASK> kernfs_fop_write_iter+0x11c/0x1b0 new_sync_write+0x10b/0x180 vfs_write+0x209/0x2a0 ksys_write+0x4f/0xc0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae The problem is that the device passed to clear_caseopen() is the hwmon device, not the platform device, and the platform data is not set in the hwmon device. Store the pointer to sio_data in struct nct6775_data and get if from there if needed. • https://git.kernel.org/stable/c/2e7b9886968b89f0b4cbc59b8e6ed47fd4edd0dd https://git.kernel.org/stable/c/cfb7d12f2e4a4d694f49e9b4ebb352f7b67cdfbb https://git.kernel.org/stable/c/79da533d3cc717ccc05ddbd3190da8a72bc2408b •