CVE-2022-49033 – btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()
https://notcve.org/view.php?id=CVE-2022-49033
In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit() Syzkaller reported BUG as follows: BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 __might_resched.cold+0x222/0x26b kmem_cache_alloc+0x2e7/0x3c0 update_qgroup_limit_item+0xe1/0x390 btrfs_qgroup_inherit+0x147b/0x1ee0 create_subvol+0x4eb/0x1710 btrfs_mksubvol+0xfe5/0x13f0 __btrfs_ioctl_snap_create+0x2b0/0x430 btrfs_ioctl_snap_create_v2+0x25a/0x520 btrfs_ioctl+0x2a1c/0x5ce0 __x64_sys_ioctl+0x193/0x200 do_syscall_64+0x35/0x80 Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in btrfs_run_qgroups() later outside of the spinlock context. • https://git.kernel.org/stable/c/89840b12c8fad7200eb6478525c13261512c01be https://git.kernel.org/stable/c/3c98e91be6aea4c7acf09da6eb0c107ea9186bb5 https://git.kernel.org/stable/c/f4b930a1602b05e77fee31f9616599b25e910a86 https://git.kernel.org/stable/c/8eb912af525042a7365295eb62f6d5270c2a6462 https://git.kernel.org/stable/c/01d7c41eac9129fba80d8aed0060caab4a7dbe09 https://git.kernel.org/stable/c/044da1a371a0da579e805e89c96865f62d8f6f69 https://git.kernel.org/stable/c/588ae4fdd8b11788a797776b10d6c44ae12bc133 https://git.kernel.org/stable/c/f7e942b5bb35d8e3af54053d19a6bf041 •
CVE-2022-49032 – iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw
https://notcve.org/view.php?id=CVE-2022-49032
In the Linux kernel, the following vulnerability has been resolved: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw KASAN report out-of-bounds read as follows: BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380 Read of size 4 at addr ffffffffc00e4658 by task cat/278 Call Trace: afe4404_read_raw iio_read_channel_info dev_attr_show The buggy address belongs to the variable: afe4404_channel_leds+0x18/0xffffffffffffe9c0 This issue can be reproduce by singe command: $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw The array size of afe4404_channel_leds and afe4404_channel_offdacs are less than channels, so access with chan->address cause OOB read in afe4404_[read|write]_raw. Fix it by moving access before use them. • https://git.kernel.org/stable/c/b36e8257641a043764c62240316610c81e36376c https://git.kernel.org/stable/c/68de7da092f38395dde523f2e5db26eba6c23e28 https://git.kernel.org/stable/c/113c08030a89aaf406f8a1d4549d758a67c2afba https://git.kernel.org/stable/c/f5575041ec15310bdc50c42b8b22118cc900226e https://git.kernel.org/stable/c/3f566b626029ca8598d48e5074e56bb37399ca1b https://git.kernel.org/stable/c/5eb114f55b37dbc0487aa9c1913b81bb7837f1c4 https://git.kernel.org/stable/c/f7419fc42afc035f6b29ce713e17dcd2000c833f https://git.kernel.org/stable/c/d45d9f45e7b1365fd0d9bf14680d6d508 •
CVE-2022-49031 – iio: health: afe4403: Fix oob read in afe4403_read_raw
https://notcve.org/view.php?id=CVE-2022-49031
In the Linux kernel, the following vulnerability has been resolved: iio: health: afe4403: Fix oob read in afe4403_read_raw KASAN report out-of-bounds read as follows: BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 Read of size 4 at addr ffffffffc02ac638 by task cat/279 Call Trace: afe4403_read_raw iio_read_channel_info dev_attr_show The buggy address belongs to the variable: afe4403_channel_leds+0x18/0xffffffffffffe9e0 This issue can be reproduced by singe command: $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw The array size of afe4403_channel_leds is less than channels, so access with chan->address cause OOB read in afe4403_read_raw. Fix it by moving access before use it. • https://git.kernel.org/stable/c/b36e8257641a043764c62240316610c81e36376c https://git.kernel.org/stable/c/98afcb5f3be645d330c74c5194ba0d80e26f95e0 https://git.kernel.org/stable/c/c9268df36818ee4eaaaeadc80009b442a5ca69c9 https://git.kernel.org/stable/c/726fa3e4ab97dcff1c745bdc4fb137366cb8d3df https://git.kernel.org/stable/c/2d6a437064ffbe685c67ddb16dfc0946074c6c3f https://git.kernel.org/stable/c/b1756af172fb80a3edc143772d49e166ec691b6c https://git.kernel.org/stable/c/e7e76a77aabef8989cbc0a8417af1aa040620867 https://git.kernel.org/stable/c/06c6ce21cec77dfa860d57e7a006000a5 •
CVE-2022-49030 – libbpf: Handle size overflow for ringbuf mmap
https://notcve.org/view.php?id=CVE-2022-49030
In the Linux kernel, the following vulnerability has been resolved: libbpf: Handle size overflow for ringbuf mmap The maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries will overflow u32 when mapping producer page and data pages. Only casting max_entries to size_t is not enough, because for 32-bits application on 64-bits kernel the size of read-only mmap region also could overflow size_t. So fixing it by casting the size of read-only mmap region into a __u64 and checking whether or not there will be overflow during mmap. • https://git.kernel.org/stable/c/bf99c936f9478a05d51e9f101f90de70bee9a89c https://git.kernel.org/stable/c/8a549ab6724520aa3c07f47e0eba820293551490 https://git.kernel.org/stable/c/0140e079a42064680394fff1199a7b5483688dec https://git.kernel.org/stable/c/535a25ab4f9a45f74ba38ab71de95e97474922ed https://git.kernel.org/stable/c/927cbb478adf917e0a142b94baa37f06279cc466 •
CVE-2022-49029 – hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails
https://notcve.org/view.php?id=CVE-2022-49029
In the Linux kernel, the following vulnerability has been resolved: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails Smatch report warning as follows: drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn: '&data->list' not removed from list If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will be freed, but data->list will not be removed from driver_data.bmc_data, then list traversal may cause UAF. Fix by removeing it from driver_data.bmc_data before free(). • https://git.kernel.org/stable/c/57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab https://git.kernel.org/stable/c/f2a13196ad41c6c2ab058279dffe6c97292e753a https://git.kernel.org/stable/c/798198273bf86673b970b51acdb35e57f42b3fcb https://git.kernel.org/stable/c/24b9633f7db7f4809be7053df1d2e117e7c2de10 https://git.kernel.org/stable/c/7b2b67fe1339389e0bf3c37c7a677a004ac0e4e3 https://git.kernel.org/stable/c/90907cd4d11351ff76c9a447bcb5db0e264c47cd https://git.kernel.org/stable/c/45f6e81863747c0d7bc6a95ec51129900e71467a https://git.kernel.org/stable/c/e65cfd1f9cd27d9c27ee5cb88128a9f79 •