CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2022-48981 – drm/shmem-helper: Remove errant put in error path
https://notcve.org/view.php?id=CVE-2022-48981
In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Remove errant put in error path drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM object getting prematurely freed leading to a later use-after-free. • https://git.kernel.org/stable/c/2194a63a818db71065ebe09c8104f5f021ca4e7b https://git.kernel.org/stable/c/585a07b820059462e0c93b76c7de2cd946b26b40 https://git.kernel.org/stable/c/6a4da05acd062ae7774b6b19cef2b7d922902d36 https://git.kernel.org/stable/c/83e3da8bb92fcfa7a1d232cf55f9e6c49bb84942 https://git.kernel.org/stable/c/586847b98e20ab02212ca5c1fc46680384e68a28 https://git.kernel.org/stable/c/24013314be6ee4ee456114a671e9fa3461323de8 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2022-48979 – drm/amd/display: fix array index out of bound error in DCN32 DML
https://notcve.org/view.php?id=CVE-2022-48979
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix array index out of bound error in DCN32 DML [Why&How] LinkCapacitySupport array is indexed with the number of voltage states and not the number of max DPPs. Fix the error by changing the array declaration to use the correct (larger) array size of total number of voltage states. • https://git.kernel.org/stable/c/3d8a298b2e83b98042e6ec726e934f535b23e6aa https://git.kernel.org/stable/c/aeffc8fb2174f017a10df114bc312f899904dc68 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2022-48978 – HID: core: fix shift-out-of-bounds in hid_report_raw_event
https://notcve.org/view.php?id=CVE-2022-48978
In the Linux kernel, the following vulnerability has been resolved: HID: core: fix shift-out-of-bounds in hid_report_raw_event Syzbot reported shift-out-of-bounds in hid_report_raw_event. microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > 32! (swapper/0) ====================================================================== UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 shift exponent 127 is too large for 32-bit type 'int' CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 snto32 drivers/hid/hid-core.c:1323 [inline] hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline] hid_process_report drivers/hid/hid-core.c:1665 [inline] hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers+0x76a/0x980 kernel/time/timer.c:1790 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 __do_softirq+0x277/0x75b kernel/softirq.c:571 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 ====================================================================== If the size of the integer (unsigned n) is bigger than 32 in snto32(), shift exponent will be too large for 32-bit type 'int', resulting in a shift-out-of-bounds bug. Fix this by adding a check on the size of the integer (unsigned n) in snto32(). To add support for n greater than 32 bits, set n to 32, if n is greater than 32. • https://git.kernel.org/stable/c/dde5845a529ff753364a6d1aea61180946270bfa https://git.kernel.org/stable/c/151493fe5a6ed1a88decc929a7368a3f2a246914 https://git.kernel.org/stable/c/809783f8b4b600c7fb3bccb10fefef822601ea3b https://git.kernel.org/stable/c/8e14f20e12224ee2429f75a5c9418a700e26a8d3 https://git.kernel.org/stable/c/db1ed1b3fb4ec0d19080a102956255769bc45c79 https://git.kernel.org/stable/c/bc03f809da78fc79e4aee132d4e5c6a2b3aeec73 https://git.kernel.org/stable/c/f755d11c55b29049b77da5cd9ab2faae96eb33c3 https://git.kernel.org/stable/c/2b3b4d7aadaa1b6b58d0f34823bf86cfe •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2022-48975 – gpiolib: fix memory leak in gpiochip_setup_dev()
https://notcve.org/view.php?id=CVE-2022-48975
In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix memory leak in gpiochip_setup_dev() Here is a backtrace report about memory leak detected in gpiochip_setup_dev(): unreferenced object 0xffff88810b406400 (size 512): comm "python3", pid 1682, jiffies 4295346908 (age 24.090s) backtrace: kmalloc_trace device_add device_private_init at drivers/base/core.c:3361 (inlined by) device_add at drivers/base/core.c:3411 cdev_device_add gpiolib_cdev_register gpiochip_setup_dev gpiochip_add_data_with_key gcdev_register() & gcdev_unregister() would call device_add() & device_del() (no matter CONFIG_GPIO_CDEV is enabled or not) to register/unregister device. However, if device_add() succeeds, some resource (like struct device_private allocated by device_private_init()) is not released by device_del(). Therefore, after device_add() succeeds by gcdev_register(), it needs to call put_device() to release resource in the error handle path. Here we move forward the register of release function, and let it release every piece of resource by put_device() instead of kfree(). While at it, fix another subtle issue, i.e. when gc->ngpio is equal to 0, we still call kcalloc() and, in case of further error, kfree() on the ZERO_PTR pointer, which is not NULL. It's not a bug per se, but rather waste of the resources and potentially wrong expectation about contents of the gdev->descs variable. • https://git.kernel.org/stable/c/159f3cd92f17c61a4e2a47456de5865b114ef88e https://git.kernel.org/stable/c/6daaa84b621485fe28c401be18debf92ae8ef04a https://git.kernel.org/stable/c/371363716398ed718e389bea8c5e9843a79dde4e https://git.kernel.org/stable/c/ec851b23084b3a0af8bf0f5e51d33a8d678bdc49 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2022-48973 – gpio: amd8111: Fix PCI device reference count leak
https://notcve.org/view.php?id=CVE-2022-48973
In the Linux kernel, the following vulnerability has been resolved: gpio: amd8111: Fix PCI device reference count leak for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL input parameter, there is no problem for the 'Device not found' branch. For the normal path, add pci_dev_put() in amd_gpio_exit(). • https://git.kernel.org/stable/c/f942a7de047d8c599cc1a9a26293c8c7400450ea https://git.kernel.org/stable/c/4749c5cc147c9860b96db1e71cc36d1de1bd3f59 https://git.kernel.org/stable/c/71d591ef873f9ebb86cd8d053b3caee785b2de6a https://git.kernel.org/stable/c/b2bc053ebbba57a06fa655db5ea796de2edce445 https://git.kernel.org/stable/c/48bd5d3801f6b67cc144449d434abbd5043a6d37 https://git.kernel.org/stable/c/5ee6413d3dd972930af787b2c0c7aaeb379fa521 https://git.kernel.org/stable/c/4271515f189bd5fe2ec86b4089dab7cb804625d2 https://git.kernel.org/stable/c/e364ce04d8f840478b09eee57b614de7c •