CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49006 – tracing: Free buffers when a used dynamic event is removed
https://notcve.org/view.php?id=CVE-2022-49006
In the Linux kernel, the following vulnerability has been resolved: tracing: Free buffers when a used dynamic event is removed After 65536 dynamic events have been added and removed, the "type" field of the event then uses the first type number that is available (not currently used by other events). A type number is the identifier of the binary blobs in the tracing ring buffer (known as events) to map them to logic that can parse the binary blob. The issue is that if a dynamic event (like a kprobe event) is traced and is in the ring buffer, and then that event is removed (because it is dynamic, which means it can be created and destroyed), if another dynamic event is created that has the same number that new event's logic on parsing the binary blob will be used. To show how this can be an issue, the following can crash the kernel: # cd /sys/kernel/tracing # for i in `seq 65536`; do echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events # done For every iteration of the above, the writing to the kprobe_events will remove the old event and create a new one (with the same format) and increase the type number to the next available on until the type number reaches over 65535 which is the max number for the 16 bit type. After it reaches that number, the logic to allocate a new number simply looks for the next available number. When an dynamic event is removed, that number is then available to be reused by the next dynamic event created. That is, once the above reaches the max number, the number assigned to the event in that loop will remain the same. Now that means deleting one dynamic event and created another will reuse the previous events type number. • https://git.kernel.org/stable/c/77b44d1b7c28360910cdbd427fb62d485c08674c https://git.kernel.org/stable/c/1603feac154ff38514e8354e3079a455eb4801e2 https://git.kernel.org/stable/c/be111ebd8868d4b7c041cb3c6102e1ae27d6dc1d https://git.kernel.org/stable/c/417d5ea6e735e5d88ffb6c436cf2938f3f476dd1 https://git.kernel.org/stable/c/c52d0c8c4f38f7580cff61c4dfe1034c580cedfd https://git.kernel.org/stable/c/4313e5a613049dfc1819a6dfb5f94cf2caff9452 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2022-49005 – ASoC: ops: Fix bounds check for _sx controls
https://notcve.org/view.php?id=CVE-2022-49005
In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Fix bounds check for _sx controls For _sx controls the semantics of the max field is not the usual one, max is the number of steps rather than the maximum value. This means that our check in snd_soc_put_volsw_sx() needs to just check against the maximum value. • https://git.kernel.org/stable/c/9e5c40b5706d8aae2cf70bd7e01f0b4575a642d0 https://git.kernel.org/stable/c/4977491e4b3aad8567f57e2a9992d251410c1db3 https://git.kernel.org/stable/c/9a12fcbf3c622f9bf6b110a873d62b0cba93972e https://git.kernel.org/stable/c/c33402b056de61104b6146dedbe138ca8d7ec62b https://git.kernel.org/stable/c/038f8b7caa74d29e020949a43ca368c93f6b29b9 https://git.kernel.org/stable/c/e8e07c5e25a29e2a6f119fd947f55d7a55eb8a13 https://git.kernel.org/stable/c/4f1e50d6a9cf9c1b8c859d449b5031cacfa8404e https://git.kernel.org/stable/c/ef6cd9eeb38062a145802b7b56be7ae10 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49004 – riscv: Sync efi page table's kernel mappings before switching
https://notcve.org/view.php?id=CVE-2022-49004
In the Linux kernel, the following vulnerability has been resolved: riscv: Sync efi page table's kernel mappings before switching The EFI page table is initially created as a copy of the kernel page table. With VMAP_STACK enabled, kernel stacks are allocated in the vmalloc area: if the stack is allocated in a new PGD (one that was not present at the moment of the efi page table creation or not synced in a previous vmalloc fault), the kernel will take a trap when switching to the efi page table when the vmalloc kernel stack is accessed, resulting in a kernel panic. Fix that by updating the efi kernel mappings before switching to the efi page table. • https://git.kernel.org/stable/c/b91540d52a08b65eb6a2b09132e1bd54fa82754c https://git.kernel.org/stable/c/fa7a7d185ef380546b4b1fed6f84f31dbae8cec7 https://git.kernel.org/stable/c/96f479383d92944406d4b3f2bc03c2f640def9f1 https://git.kernel.org/stable/c/3f105a742725a1b78766a55169f1d827732e62b8 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49002 – iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init()
https://notcve.org/view.php?id=CVE-2022-49002
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init() for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() for the error path to avoid reference count leak. • https://git.kernel.org/stable/c/2e45528930388658603ea24d49cf52867b928d3e https://git.kernel.org/stable/c/d47bc9d7bcdbb9adc9703513d964b514fee5b0bf https://git.kernel.org/stable/c/71c4a621985fc051ab86d3a86c749069a993fcb2 https://git.kernel.org/stable/c/876d7bfb89273997056220029ff12b1c2cc4691d https://git.kernel.org/stable/c/cbdd83bd2fd67142b03ce9dbdd1eab322ff7321f https://git.kernel.org/stable/c/a5c65cd56aed027f8a97fda8b691caaeb66d115e https://git.kernel.org/stable/c/bdb613ef179ad4bb9d56a2533e9b30e434f1dfb7 https://git.kernel.org/stable/c/2a8f7b90681472948de172dbbf5a54cd3 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49000 – iommu/vt-d: Fix PCI device refcount leak in has_external_pci()
https://notcve.org/view.php?id=CVE-2022-49000
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix PCI device refcount leak in has_external_pci() for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() before 'return true' to avoid reference count leak. • https://git.kernel.org/stable/c/89a6079df791aeace2044ea93be1b397195824ec https://git.kernel.org/stable/c/10ed7655a17f6a3eaecd1293830488259ccd5723 https://git.kernel.org/stable/c/b6eea8b2e858a20ad58ac62dc2de90fea2413f94 https://git.kernel.org/stable/c/17f67414718e6aba123335a33b7d15aa594fff34 https://git.kernel.org/stable/c/afca9e19cc720bfafc75dc5ce429c185ca93f31d •