CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2022-48971 – Bluetooth: Fix not cleanup led when bt_init fails
https://notcve.org/view.php?id=CVE-2022-48971
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix not cleanup led when bt_init fails bt_init() calls bt_leds_init() to register led, but if it fails later, bt_leds_cleanup() is not called to unregister it. This can cause panic if the argument "bluetooth-power" in text is freed and then another led_trigger_register() tries to access it: BUG: unable to handle page fault for address: ffffffffc06d3bc0 RIP: 0010:strcmp+0xc/0x30 Call Trace: <TASK> led_trigger_register+0x10d/0x4f0 led_trigger_register_simple+0x7d/0x100 bt_init+0x39/0xf7 [bluetooth] do_one_initcall+0xd0/0x4e0 • https://git.kernel.org/stable/c/e64c97b53bc6727aa4385535166aaa047281e02d https://git.kernel.org/stable/c/8a66c3a94285552f6a8e45d73b34ebbad11d388b https://git.kernel.org/stable/c/2c6cf0afc3856359e620e96edd952457d258e16c https://git.kernel.org/stable/c/e7b950458156d410509a08c41930b75e72985938 https://git.kernel.org/stable/c/edf7284a98296369dd0891a0457eec37df244873 https://git.kernel.org/stable/c/5ecf7cd6fde5e72c87122084cf00d63e35d8dd9f https://git.kernel.org/stable/c/2f3957c7eb4e07df944169a3e50a4d6790e1c744 •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2022-48969 – xen-netfront: Fix NULL sring after live migration
https://notcve.org/view.php?id=CVE-2022-48969
In the Linux kernel, the following vulnerability has been resolved: xen-netfront: Fix NULL sring after live migration A NAPI is setup for each network sring to poll data to kernel The sring with source host is destroyed before live migration and new sring with target host is setup after live migration. The NAPI for the old sring is not deleted until setup new sring with target host after migration. With busy_poll/busy_read enabled, the NAPI can be polled before got deleted when resume VM. BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: xennet_poll+0xae/0xd20 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI Call Trace: finish_task_switch+0x71/0x230 timerqueue_del+0x1d/0x40 hrtimer_try_to_cancel+0xb5/0x110 xennet_alloc_rx_buffers+0x2a0/0x2a0 napi_busy_loop+0xdb/0x270 sock_poll+0x87/0x90 do_sys_poll+0x26f/0x580 tracing_map_insert+0x1d4/0x2f0 event_hist_trigger+0x14a/0x260 finish_task_switch+0x71/0x230 __schedule+0x256/0x890 recalc_sigpending+0x1b/0x50 xen_sched_clock+0x15/0x20 __rb_reserve_next+0x12d/0x140 ring_buffer_lock_reserve+0x123/0x3d0 event_triggers_call+0x87/0xb0 trace_event_buffer_commit+0x1c4/0x210 xen_clocksource_get_cycles+0x15/0x20 ktime_get_ts64+0x51/0xf0 SyS_ppoll+0x160/0x1a0 SyS_ppoll+0x160/0x1a0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x41/0xa6 ... RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900 CR2: 0000000000000008 ---[ end trace f8601785b354351c ]--- xen frontend should remove the NAPIs for the old srings before live migration as the bond srings are destroyed There is a tiny window between the srings are set to NULL and the NAPIs are disabled, It is safe as the NAPI threads are still frozen at that time • https://git.kernel.org/stable/c/4ec2411980d0fd2995e8dea8a06fe57aa47523cb https://git.kernel.org/stable/c/99859947517e446058ad7243ee81d2f9801fa3dd https://git.kernel.org/stable/c/ed773dd798bf720756d20021b8d8a4a3d7184bda https://git.kernel.org/stable/c/e6860c889f4ad50b6ab696f5ea154295d72cf27a https://git.kernel.org/stable/c/e6e897d4fe2f89c0bd94600a40bedf5e6e75e050 https://git.kernel.org/stable/c/f2dd60fd3fe98bd36a91b0c6e10bfe9d66258f84 https://git.kernel.org/stable/c/d50b7914fae04d840ce36491d22133070b18cca9 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48967 – NFC: nci: Bounds check struct nfc_target arrays
https://notcve.org/view.php?id=CVE-2022-48967
In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Bounds check struct nfc_target arrays While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported: memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18) This appears to be a legitimate lack of bounds checking in nci_add_new_protocol(). Add the missing checks. • https://git.kernel.org/stable/c/019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5 https://git.kernel.org/stable/c/6b37f0dc0638d13a006f2f24d2f6ca61e83bc714 https://git.kernel.org/stable/c/dbdcfb9f6748218a149f62468d6297ce3f014e9c https://git.kernel.org/stable/c/cff35329070b96b4484d23f9f48a5ca2c947e750 https://git.kernel.org/stable/c/6778434706940b8fad7ef35f410d2b9929f256d2 https://git.kernel.org/stable/c/27eb2d7a1b9987b6d0429b7716b1ff3b82c4ffc9 https://git.kernel.org/stable/c/908b2da426fe9c3ce74cf541ba40e7a4251db191 https://git.kernel.org/stable/c/f41547546db9af99da2c34e3368664d7a •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48966 – net: mvneta: Prevent out of bounds read in mvneta_config_rss()
https://notcve.org/view.php?id=CVE-2022-48966
In the Linux kernel, the following vulnerability has been resolved: net: mvneta: Prevent out of bounds read in mvneta_config_rss() The pp->indir[0] value comes from the user. It is passed to: if (cpu_online(pp->rxq_def)) inside the mvneta_percpu_elect() function. It needs bounds checkeding to ensure that it is not beyond the end of the cpu bitmap. • https://git.kernel.org/stable/c/cad5d847a093077b499a8b0bbfe6804b9226c03e https://git.kernel.org/stable/c/3ceffb8f410b93553fb16fe7e84aa0d35b3ba79b https://git.kernel.org/stable/c/47a1a2f6cd5ec3a4f8a2d9bfa1e0605347cdb92c https://git.kernel.org/stable/c/5a142486a0db6b0b85031f22d69acd0cdcf8f72b https://git.kernel.org/stable/c/eec1fc21edc2bb99c9e66cf66f0b5d4d643fbb50 https://git.kernel.org/stable/c/146ebee8fcdb349d7ec0e49915e6cdafb92544ae https://git.kernel.org/stable/c/a6b30598fec84f8809f5417cde73071ca43e8471 https://git.kernel.org/stable/c/6ca0a506dddc3e1d636935eef339576b2 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48962 – net: hisilicon: Fix potential use-after-free in hisi_femac_rx()
https://notcve.org/view.php?id=CVE-2022-48962
In the Linux kernel, the following vulnerability has been resolved: net: hisilicon: Fix potential use-after-free in hisi_femac_rx() The skb is delivered to napi_gro_receive() which may free it, after calling this, dereferencing skb may trigger use-after-free. • https://git.kernel.org/stable/c/542ae60af24f02e130e62cb3b7c23163a2350056 https://git.kernel.org/stable/c/3501da8eb6d0f5f114a09ec953c54423f6f35885 https://git.kernel.org/stable/c/196e12671cb629d9f3b77b4d8bec854fc445533a https://git.kernel.org/stable/c/aceec8ab752428d8e151321479e82cc1a40fee2e https://git.kernel.org/stable/c/e71a46cc8c9ad75f3bb0e4b361e81f79c0214cca https://git.kernel.org/stable/c/296a50aa8b2982117520713edc1375777a9f8506 https://git.kernel.org/stable/c/6f4798ac9c9e98f41553c4f5e6c832c8860a6942 https://git.kernel.org/stable/c/8595a2db8eb0ffcbb466eb9f4a7507a5b •