CVE-2022-48739 – ASoC: hdmi-codec: Fix OOB memory accesses
https://notcve.org/view.php?id=CVE-2022-48739
In the Linux kernel, the following vulnerability has been resolved: ASoC: hdmi-codec: Fix OOB memory accesses Correct size of iec_status array by changing it to the size of status array of the struct snd_aes_iec958. This fixes out-of-bounds slab read accesses made by memcpy() of the hdmi-codec driver. This problem is reported by KASAN. • https://git.kernel.org/stable/c/7a8e1d44211e16eb394b7b9e0b236ee1503a3ad3 https://git.kernel.org/stable/c/10007bd96b6c4c3cfaea9e76c311b06a07a5e260 https://git.kernel.org/stable/c/1552e66be325a21d7eff49f46013fb402165a0ac https://git.kernel.org/stable/c/06feec6005c9d9500cd286ec440aabf8b2ddd94d •
CVE-2022-48738 – ASoC: ops: Reject out of bounds values in snd_soc_put_volsw()
https://notcve.org/view.php?id=CVE-2022-48738
In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() We don't currently validate that the values being set are within the range we advertised to userspace as being valid, do so and reject any values that are out of range. • https://git.kernel.org/stable/c/40f598698129b5ceaf31012f9501b775c7b6e57d https://git.kernel.org/stable/c/586ef863c94354a7e00e5ae5ef01443d1dc99bc7 https://git.kernel.org/stable/c/65a61b1f56f5386486757930069fbdce94af08bf https://git.kernel.org/stable/c/68fd718724284788fc5f379e0b7cac541429ece7 https://git.kernel.org/stable/c/a9394f21fba027147bf275b083c77955864c366a https://git.kernel.org/stable/c/9e8895f1b3d4433f6d78aa6578e9db61ca6e6830 https://git.kernel.org/stable/c/bb72d2dda85564c66d909108ea6903937a41679d https://git.kernel.org/stable/c/817f7c9335ec01e0f5e8caffc4f1dcd5e • CWE-125: Out-of-bounds Read •
CVE-2022-48735 – ALSA: hda: Fix UAF of leds class devs at unbinding
https://notcve.org/view.php?id=CVE-2022-48735
In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix UAF of leds class devs at unbinding The LED class devices that are created by HD-audio codec drivers are registered via devm_led_classdev_register() and associated with the HD-audio codec device. Unfortunately, it turned out that the devres release doesn't work for this case; namely, since the codec resource release happens before the devm call chain, it triggers a NULL dereference or a UAF for a stale set_brightness_delay callback. For fixing the bug, this patch changes the LED class device register and unregister in a manual manner without devres, keeping the instances in hda_gen_spec. • https://git.kernel.org/stable/c/a7de1002135cf94367748ffc695a29812d7633b5 https://git.kernel.org/stable/c/0e629052f013eeb61494d4df2f1f647c2a9aef47 https://git.kernel.org/stable/c/813e9f3e06d22e29872d4fd51b54992d89cf66c8 https://git.kernel.org/stable/c/549f8ffc7b2f7561bea7f90930b6c5104318e87b •
CVE-2022-48734 – btrfs: fix deadlock between quota disable and qgroup rescan worker
https://notcve.org/view.php?id=CVE-2022-48734
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock between quota disable and qgroup rescan worker Quota disable ioctl starts a transaction before waiting for the qgroup rescan worker completes. However, this wait can be infinite and results in deadlock because of circular dependency among the quota disable ioctl, the qgroup rescan worker and the other task with transaction such as block group relocation task. The deadlock happens with the steps following: 1) Task A calls ioctl to disable quota. It starts a transaction and waits for qgroup rescan worker completes. 2) Task B such as block group relocation task starts a transaction and joins to the transaction that task A started. Then task B commits to the transaction. In this commit, task B waits for a commit by task A. 3) Task C as the qgroup rescan worker starts its job and starts a transaction. • https://git.kernel.org/stable/c/26b3901d20bf9da2c6a00cb1fb48932166f80a45 https://git.kernel.org/stable/c/32747e01436aac8ef93fe85b5b523b4f3b52f040 https://git.kernel.org/stable/c/89d4cca583fc9594ee7d1a0bc986886d6fb587e6 https://git.kernel.org/stable/c/31198e58c09e21d4f65c49d2361f76b87aca4c3f https://git.kernel.org/stable/c/e804861bd4e69cc5fe1053eedcb024982dde8e48 •
CVE-2022-48733 – btrfs: fix use-after-free after failure to create a snapshot
https://notcve.org/view.php?id=CVE-2022-48733
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free after failure to create a snapshot At ioctl.c:create_snapshot(), we allocate a pending snapshot structure and then attach it to the transaction's list of pending snapshots. After that we call btrfs_commit_transaction(), and if that returns an error we jump to 'fail' label, where we kfree() the pending snapshot structure. This can result in a later use-after-free of the pending snapshot: 1) We allocated the pending snapshot and added it to the transaction's list of pending snapshots; 2) We call btrfs_commit_transaction(), and it fails either at the first call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups(). In both cases, we don't abort the transaction and we release our transaction handle. We jump to the 'fail' label and free the pending snapshot structure. We return with the pending snapshot still in the transaction's list; 3) Another task commits the transaction. • https://git.kernel.org/stable/c/7e4c72dbaf62f8978af8321a24dbd35566d3a78a https://git.kernel.org/stable/c/a7b717fa15165d3d9245614680bebc48a52ac05d https://git.kernel.org/stable/c/9372fa1d73da5f1673921e365d0cd2c27ec7adc2 https://git.kernel.org/stable/c/28b21c558a3753171097193b6f6602a94169093a •