CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2022-48899 – drm/virtio: Fix GEM handle creation UAF
https://notcve.org/view.php?id=CVE-2022-48899
In the Linux kernel, the following vulnerability has been resolved: drm/virtio: Fix GEM handle creation UAF Userspace can guess the handle value and try to race GEM object creation with handle close, resulting in a use-after-free if we dereference the object after dropping the handle's reference. For that reason, dropping the handle's reference must be done *after* we are done dereferencing the object. • https://git.kernel.org/stable/c/62fb7a5e10962ac6ae2a2d2dbd3aedcb2a3e3257 https://git.kernel.org/stable/c/19ec87d06acfab2313ee82b2a689bf0c154e57ea https://git.kernel.org/stable/c/d01d6d2b06c0d8390adf8f3ba08aa60b5642ef73 https://git.kernel.org/stable/c/68bcd063857075d2f9edfed6024387ac377923e2 https://git.kernel.org/stable/c/011ecdbcd520c90c344b872ca6b4821f7783b2f8 https://git.kernel.org/stable/c/adc48e5e408afbb01d261bd303fd9fbbbaa3e317 https://git.kernel.org/stable/c/52531258318ed59a2dc5a43df2eaf0eb1d65438e •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48898 – drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer
https://notcve.org/view.php?id=CVE-2022-48898
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer There are 3 possible interrupt sources are handled by DP controller, HPDstatus, Controller state changes and Aux read/write transaction. At every irq, DP controller have to check isr status of every interrupt sources and service the interrupt if its isr status bits shows interrupts are pending. There is potential race condition may happen at current aux isr handler implementation since it is always complete dp_aux_cmd_fifo_tx() even irq is not for aux read or write transaction. This may cause aux read transaction return premature if host aux data read is in the middle of waiting for sink to complete transferring data to host while irq happen. This will cause host's receiving buffer contains unexpected data. This patch fixes this problem by checking aux isr and return immediately at aux isr handler if there are no any isr status bits set. Current there is a bug report regrading eDP edid corruption happen during system booting up. After lengthy debugging to found that VIDEO_READY interrupt was continuously firing during system booting up which cause dp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data from aux hardware buffer which is not yet contains complete data transfer from sink. • https://git.kernel.org/stable/c/c943b4948b5848fc0e07f875edbd35a973879e22 https://git.kernel.org/stable/c/785607e5e6fb52caf141e4580de40405565f04f1 https://git.kernel.org/stable/c/984ad875db804948c86ca9e1c2e784ae8252715a https://git.kernel.org/stable/c/b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59 https://git.kernel.org/stable/c/1cba0d150fa102439114a91b3e215909efc9f169 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48896 – ixgbe: fix pci device refcount leak
https://notcve.org/view.php?id=CVE-2022-48896
In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix pci device refcount leak As the comment of pci_get_domain_bus_and_slot() says, it returns a PCI device with refcount incremented, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). In ixgbe_get_first_secondary_devfn() and ixgbe_x550em_a_has_mii(), pci_dev_put() is called to avoid leak. • https://git.kernel.org/stable/c/8fa10ef01260937eb540b4e9bbc3efa023595993 https://git.kernel.org/stable/c/53cefa802f070d46c0c518f4865be2c749818a18 https://git.kernel.org/stable/c/112df4cd2b09acd64bcd18f5ef83ba5d07b34bf0 https://git.kernel.org/stable/c/4c93422a54cd6a349988f42e1c6bf082cf4ea9d8 https://git.kernel.org/stable/c/c49996c6aa03590e4ef5add8772cb6068d99fd59 https://git.kernel.org/stable/c/b93fb4405fcb5112c5739c5349afb52ec7f15c07 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48893 – drm/i915/gt: Cleanup partial engine discovery failures
https://notcve.org/view.php?id=CVE-2022-48893
In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Cleanup partial engine discovery failures If we abort driver initialisation in the middle of gt/engine discovery, some engines will be fully setup and some not. Those incompletely setup engines only have 'engine->release == NULL' and so will leak any of the common objects allocated. v2: - Drop the destroy_pinned_context() helper for now. It's not really worth it with just a single callsite at the moment. (Janusz) • https://git.kernel.org/stable/c/5c855bcc730656c4b7d30aaddcd0eafc7003e112 https://git.kernel.org/stable/c/78a033433a5ae4fee85511ee075bc9a48312c79e •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48892 – sched/core: Fix use-after-free bug in dup_user_cpus_ptr()
https://notcve.org/view.php?id=CVE-2022-48892
In the Linux kernel, the following vulnerability has been resolved: sched/core: Fix use-after-free bug in dup_user_cpus_ptr() Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems"), the setting and clearing of user_cpus_ptr are done under pi_lock for arm64 architecture. However, dup_user_cpus_ptr() accesses user_cpus_ptr without any lock protection. Since sched_setaffinity() can be invoked from another process, the process being modified may be undergoing fork() at the same time. When racing with the clearing of user_cpus_ptr in __set_cpus_allowed_ptr_locked(), it can lead to user-after-free and possibly double-free in arm64 kernel. Commit 8f9ea86fdf99 ("sched: Always preserve the user requested cpumask") fixes this problem as user_cpus_ptr, once set, will never be cleared in a task's lifetime. However, this bug was re-introduced in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in do_set_cpus_allowed(). • https://git.kernel.org/stable/c/07ec77a1d4e82526e1588979fff2f024f8e96df2 https://git.kernel.org/stable/c/b22faa21b6230d5eccd233e1b7e0026a5002b287 https://git.kernel.org/stable/c/7b5cc7fd1789ea5dbb942c9f8207b076d365badc https://git.kernel.org/stable/c/87ca4f9efbd7cc649ff43b87970888f2812945b8 •