CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48863 – mISDN: Fix memory leak in dsp_pipeline_build()
https://notcve.org/view.php?id=CVE-2022-48863
In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, "|"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mISDN: corrige la pérdida de memoria en dsp_pipeline_build() dsp_pipeline_build() asigna el puntero dup mediante kstrdup(cfg), pero luego actualiza la variable dup mediante strsep(&dup, "|"). Como resultado, cuando llama a kfree(dup), la variable dup contiene NULL. Encontrado por el proyecto de verificación de controladores de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/960366cf8dbb3359afaca30cf7fdbf69a6d6dda7 https://git.kernel.org/stable/c/a3d5fcc6cf2ecbba5a269631092570aa285a24cb https://git.kernel.org/stable/c/7777b1f795af1bb43867375d8a776080111aae1b https://git.kernel.org/stable/c/640445d6fc059d4514ffea79eb4196299e0e2d0f https://git.kernel.org/stable/c/c6a502c2299941c8326d029cfc8a3bc8a4607ad5 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48860 – ethernet: Fix error handling in xemaclite_of_probe
https://notcve.org/view.php?id=CVE-2022-48860
In the Linux kernel, the following vulnerability has been resolved: ethernet: Fix error handling in xemaclite_of_probe This node pointer is returned by of_parse_phandle() with refcount incremented in this function. Calling of_node_put() to avoid the refcount leak. As the remove function do. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ethernet: corrige el manejo de errores en xemaclite_of_probe Este puntero de nodo lo devuelve of_parse_phandle() con refcount incrementado en esta función. Llamar a of_node_put() para evitar la fuga de recuento. • https://git.kernel.org/stable/c/5cdaaa12866e916d0ada8b56c5f0e543cfc7fe3d https://git.kernel.org/stable/c/669172ce976608b25a2f76f3c65d47f042d125c9 https://git.kernel.org/stable/c/b7220f8e9d6c6b9594ddfb3125dad938cd478b1f https://git.kernel.org/stable/c/8609e29611befc4bfbe7a91bb50fc65ae72ff549 https://git.kernel.org/stable/c/8ee065a7a9b6a3976c16340503677efc4d8351f6 https://git.kernel.org/stable/c/979b418b96e35f07136f77962ccfaa54cf3e30e1 https://git.kernel.org/stable/c/5e7c402892e189a7bc152b125e72261154aa585d https://git.kernel.org/stable/c/1852854ee349881efb78ccdbbb2378389 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48857 – NFC: port100: fix use-after-free in port100_send_complete
https://notcve.org/view.php?id=CVE-2022-48857
In the Linux kernel, the following vulnerability has been resolved: NFC: port100: fix use-after-free in port100_send_complete Syzbot reported UAF in port100_send_complete(). The root case is in missing usb_kill_urb() calls on error handling path of ->probe function. port100_send_complete() accesses devm allocated memory which will be freed on probe failure. We should kill this urbs before returning an error from probe function to prevent reported use-after-free Fail log: BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 ... Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670 ... Allocated by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 alloc_dr drivers/base/devres.c:116 [inline] devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823 devm_kzalloc include/linux/device.h:209 [inline] port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502 Freed by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] __cache_free mm/slab.c:3437 [inline] kfree+0xf8/0x2b0 mm/slab.c:3794 release_nodes+0x112/0x1a0 drivers/base/devres.c:501 devres_release_all+0x114/0x190 drivers/base/devres.c:530 really_probe+0x626/0xcc0 drivers/base/dd.c:670 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: NFC: puerto100: corrige use-after-free en port100_send_complete Syzbot informó UAF en port100_send_complete(). El caso raíz es que faltan llamadas usb_kill_urb() en la ruta de manejo de errores de ->función de sonda. port100_send_complete() accede a la memoria asignada por el desarrollador que se liberará en caso de falla de la sonda. Deberíamos eliminar estas urbs antes de devolver un error de la función de sonda para evitar el registro de errores de use-after-free: ERROR: KASAN: use-after-free en port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 Lectura de tamaño 1 en addr ffff88801bb59540 por tarea ksoftirqd/2/26... • https://git.kernel.org/stable/c/0347a6ab300a1532c298823408d6e51ccf4e4f45 https://git.kernel.org/stable/c/205c4ec78e71cbf561794e6043da80e7bae6790f https://git.kernel.org/stable/c/32e866ae5a7af590597ef4bcff8451bf96d5f980 https://git.kernel.org/stable/c/b1db33d4e54bc35d8db96ce143ea0ef92e23d58e https://git.kernel.org/stable/c/cd2a5c0da0d1ddf11d1f84e9c9b1949f50f6e161 https://git.kernel.org/stable/c/2b1c85f56512d49e43bc53741fce2f508cd90029 https://git.kernel.org/stable/c/0e721b8f2ee5e11376dd55363f9ccb539d754b8a https://git.kernel.org/stable/c/7194737e1be8fdc89d2a9382bd2f371f7 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48853 – swiotlb: fix info leak with DMA_FROM_DEVICE
https://notcve.org/view.php?id=CVE-2022-48853
In the Linux kernel, the following vulnerability has been resolved: swiotlb: fix info leak with DMA_FROM_DEVICE The problem I'm addressing was discovered by the LTP test covering cve-2018-1000204. A short description of what happens follows: 1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV and a corresponding dxferp. The peculiar thing about this is that TUR is not reading from the device. 2) In sg_start_req() the invocation of blk_rq_map_user() effectively bounces the user-space buffer. As if the device was to transfer into it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()") we make sure this first bounce buffer is allocated with GFP_ZERO. 3) For the rest of the story we keep ignoring that we have a TUR, so the device won't touch the buffer we prepare as if the we had a DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device and the buffer allocated by SG is mapped by the function virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here scatter-gather and not scsi generics). • https://git.kernel.org/stable/c/c132f2ba716b5ee6b35f82226a6e5417d013d753 https://git.kernel.org/stable/c/971e5dadffd02beba1063e7dd9c3a82de17cf534 https://git.kernel.org/stable/c/8d9ac1b6665c73f23e963775f85d99679fd8e192 https://git.kernel.org/stable/c/6bfc5377a210dbda2a237f16d94d1bd4f1335026 https://git.kernel.org/stable/c/d4d975e7921079f877f828099bb8260af335508f https://git.kernel.org/stable/c/7403f4118ab94be837ab9d770507537a8057bc63 https://git.kernel.org/stable/c/270475d6d2410ec66e971bf181afe1958dad565e https://git.kernel.org/stable/c/ddbd89deb7d32b1fbb879f48d68fda1a8 •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48852 – drm/vc4: hdmi: Unregister codec device on unbind
https://notcve.org/view.php?id=CVE-2022-48852
In the Linux kernel, the following vulnerability has been resolved: drm/vc4: hdmi: Unregister codec device on unbind On bind we will register the HDMI codec device but we don't unregister it on unbind, leading to a device leakage. Unregister our device at unbind. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/vc4: hdmi: Anular el registro del dispositivo códec al desvincular. Al vincular, registraremos el dispositivo códec HDMI pero no lo cancelaremos al desvincular, lo que provoca una fuga del dispositivo. Dar de baja nuestro dispositivo en unbind. • https://git.kernel.org/stable/c/ee22082c3e2f230028afa0e22aa8773b1de3c919 https://git.kernel.org/stable/c/1ed68d776246f167aee9cd79f63f089c40a5e2a3 https://git.kernel.org/stable/c/e40945ab7c7f966d0c37b7bd7b0596497dfe228d •