CVE-2022-48742 – rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink()
https://notcve.org/view.php?id=CVE-2022-48742
In the Linux kernel, the following vulnerability has been resolved: rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() While looking at one unrelated syzbot bug, I found the replay logic in __rtnl_newlink() to potentially trigger use-after-free. It is better to clear master_dev and m_ops inside the loop, in case we have to replay it. • https://git.kernel.org/stable/c/ba7d49b1f0f8e5f24294a880ed576964059af5ef https://git.kernel.org/stable/c/2cf180360d66bd657e606c1217e0e668e6faa303 https://git.kernel.org/stable/c/7d9211678c0f0624f74cdff36117ab8316697bb8 https://git.kernel.org/stable/c/a01e60a1ec6bef9be471fb7182a33c6d6f124e93 https://git.kernel.org/stable/c/bd43771ee9759dd9dfae946bff190e2c5a120de5 https://git.kernel.org/stable/c/3bbe2019dd12b8d13671ee6cda055d49637b4c39 https://git.kernel.org/stable/c/def5e7070079b2a214b3b1a2fbec623e6fbfe34a https://git.kernel.org/stable/c/36a9a0aee881940476b254e0352581401 •
CVE-2022-48740 – selinux: fix double free of cond_list on error paths
https://notcve.org/view.php?id=CVE-2022-48740
In the Linux kernel, the following vulnerability has been resolved: selinux: fix double free of cond_list on error paths On error path from cond_read_list() and duplicate_policydb_cond_list() the cond_list_destroy() gets called a second time in caller functions, resulting in NULL pointer deref. Fix this by resetting the cond_list_len to 0 in cond_list_destroy(), making subsequent calls a noop. Also consistently reset the cond_list pointer to NULL after freeing. [PM: fix line lengths in the description] • https://git.kernel.org/stable/c/f446089a268c8fc6908488e991d28a9b936293db https://git.kernel.org/stable/c/70caa32e6d81f45f0702070c0e4dfe945e92fbd7 https://git.kernel.org/stable/c/7ed9cbf7ac0d4ed86b356e1b944304ae9ee450d4 https://git.kernel.org/stable/c/186edf7e368c40d06cf727a1ad14698ea67b74ad •
CVE-2022-48738 – ASoC: ops: Reject out of bounds values in snd_soc_put_volsw()
https://notcve.org/view.php?id=CVE-2022-48738
In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() We don't currently validate that the values being set are within the range we advertised to userspace as being valid, do so and reject any values that are out of range. • https://git.kernel.org/stable/c/40f598698129b5ceaf31012f9501b775c7b6e57d https://git.kernel.org/stable/c/586ef863c94354a7e00e5ae5ef01443d1dc99bc7 https://git.kernel.org/stable/c/65a61b1f56f5386486757930069fbdce94af08bf https://git.kernel.org/stable/c/68fd718724284788fc5f379e0b7cac541429ece7 https://git.kernel.org/stable/c/a9394f21fba027147bf275b083c77955864c366a https://git.kernel.org/stable/c/9e8895f1b3d4433f6d78aa6578e9db61ca6e6830 https://git.kernel.org/stable/c/bb72d2dda85564c66d909108ea6903937a41679d https://git.kernel.org/stable/c/817f7c9335ec01e0f5e8caffc4f1dcd5e • CWE-125: Out-of-bounds Read •
CVE-2022-48735 – ALSA: hda: Fix UAF of leds class devs at unbinding
https://notcve.org/view.php?id=CVE-2022-48735
In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix UAF of leds class devs at unbinding The LED class devices that are created by HD-audio codec drivers are registered via devm_led_classdev_register() and associated with the HD-audio codec device. Unfortunately, it turned out that the devres release doesn't work for this case; namely, since the codec resource release happens before the devm call chain, it triggers a NULL dereference or a UAF for a stale set_brightness_delay callback. For fixing the bug, this patch changes the LED class device register and unregister in a manual manner without devres, keeping the instances in hda_gen_spec. • https://git.kernel.org/stable/c/a7de1002135cf94367748ffc695a29812d7633b5 https://git.kernel.org/stable/c/0e629052f013eeb61494d4df2f1f647c2a9aef47 https://git.kernel.org/stable/c/813e9f3e06d22e29872d4fd51b54992d89cf66c8 https://git.kernel.org/stable/c/549f8ffc7b2f7561bea7f90930b6c5104318e87b •
CVE-2022-48734 – btrfs: fix deadlock between quota disable and qgroup rescan worker
https://notcve.org/view.php?id=CVE-2022-48734
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock between quota disable and qgroup rescan worker Quota disable ioctl starts a transaction before waiting for the qgroup rescan worker completes. However, this wait can be infinite and results in deadlock because of circular dependency among the quota disable ioctl, the qgroup rescan worker and the other task with transaction such as block group relocation task. The deadlock happens with the steps following: 1) Task A calls ioctl to disable quota. It starts a transaction and waits for qgroup rescan worker completes. 2) Task B such as block group relocation task starts a transaction and joins to the transaction that task A started. Then task B commits to the transaction. In this commit, task B waits for a commit by task A. 3) Task C as the qgroup rescan worker starts its job and starts a transaction. • https://git.kernel.org/stable/c/26b3901d20bf9da2c6a00cb1fb48932166f80a45 https://git.kernel.org/stable/c/32747e01436aac8ef93fe85b5b523b4f3b52f040 https://git.kernel.org/stable/c/89d4cca583fc9594ee7d1a0bc986886d6fb587e6 https://git.kernel.org/stable/c/31198e58c09e21d4f65c49d2361f76b87aca4c3f https://git.kernel.org/stable/c/e804861bd4e69cc5fe1053eedcb024982dde8e48 •