CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48863 – mISDN: Fix memory leak in dsp_pipeline_build()
https://notcve.org/view.php?id=CVE-2022-48863
In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, "|"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE. En el kernel de Linux, se resolvió la siguiente vulnerabilidad: mISDN: corrige la pérdida de memoria en dsp_pipeline_build() dsp_pipeline_build() asigna el puntero dup mediante kstrdup(cfg), pero luego actualiza la variable dup mediante strsep(&dup, "|"). Como resultado, cuando llama a kfree(dup), la variable dup contiene NULL. Encontrado por el proyecto de verificación de controladores de Linux (linuxtesting.org) con SVACE. • https://git.kernel.org/stable/c/960366cf8dbb3359afaca30cf7fdbf69a6d6dda7 https://git.kernel.org/stable/c/a3d5fcc6cf2ecbba5a269631092570aa285a24cb https://git.kernel.org/stable/c/7777b1f795af1bb43867375d8a776080111aae1b https://git.kernel.org/stable/c/640445d6fc059d4514ffea79eb4196299e0e2d0f https://git.kernel.org/stable/c/c6a502c2299941c8326d029cfc8a3bc8a4607ad5 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48862 – vhost: fix hung thread due to erroneous iotlb entries
https://notcve.org/view.php?id=CVE-2022-48862
In the Linux kernel, the following vulnerability has been resolved: vhost: fix hung thread due to erroneous iotlb entries In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when start is 0 and last is ULONG_MAX. One instance where it can happen is when userspace sends an IOTLB message with iova=size=uaddr=0 (vhost_process_iotlb_msg). So, an entry with size = 0, start = 0, last = ULONG_MAX ends up in the iotlb. Next time a packet is sent, iotlb_access_ok() loops indefinitely due to that erroneous entry. Call Trace: <TASK> iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372 kthread+0x2e9/0x3a0 kernel/kthread.c:377 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> Reported by syzbot at: https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87 To fix this, do two things: 1. • https://git.kernel.org/stable/c/0bbe30668d89ec8a309f28ced6d092c90fb23e8c https://git.kernel.org/stable/c/f8d88e86e90ea1002226d7ac2430152bfea003d1 https://git.kernel.org/stable/c/d9a747e6b6561280bf1791bb24c5e9e082193dad https://git.kernel.org/stable/c/e2ae38cf3d91837a493cb2093c87700ff3cbe667 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48860 – ethernet: Fix error handling in xemaclite_of_probe
https://notcve.org/view.php?id=CVE-2022-48860
In the Linux kernel, the following vulnerability has been resolved: ethernet: Fix error handling in xemaclite_of_probe This node pointer is returned by of_parse_phandle() with refcount incremented in this function. Calling of_node_put() to avoid the refcount leak. As the remove function do. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ethernet: corrige el manejo de errores en xemaclite_of_probe Este puntero de nodo lo devuelve of_parse_phandle() con refcount incrementado en esta función. Llamar a of_node_put() para evitar la fuga de recuento. • https://git.kernel.org/stable/c/5cdaaa12866e916d0ada8b56c5f0e543cfc7fe3d https://git.kernel.org/stable/c/669172ce976608b25a2f76f3c65d47f042d125c9 https://git.kernel.org/stable/c/b7220f8e9d6c6b9594ddfb3125dad938cd478b1f https://git.kernel.org/stable/c/8609e29611befc4bfbe7a91bb50fc65ae72ff549 https://git.kernel.org/stable/c/8ee065a7a9b6a3976c16340503677efc4d8351f6 https://git.kernel.org/stable/c/979b418b96e35f07136f77962ccfaa54cf3e30e1 https://git.kernel.org/stable/c/5e7c402892e189a7bc152b125e72261154aa585d https://git.kernel.org/stable/c/1852854ee349881efb78ccdbbb2378389 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.0EPSS: 0%CPEs: 6EXPL: 0CVE-2022-48858 – net/mlx5: Fix a race on command flush flow
https://notcve.org/view.php?id=CVE-2022-48858
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix a race on command flush flow Fix a refcount use after free warning due to a race on command entry. Such race occurs when one of the commands releases its last refcount and frees its index and entry while another process running command flush flow takes refcount to this command entry. The process which handles commands flush may see this command as needed to be flushed if the other process released its refcount but didn't release the index yet. Fix it by adding the needed spin lock. It fixes the following warning trace: refcount_t: addition on 0; use-after-free. WARNING: CPU: 11 PID: 540311 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0 ... RIP: 0010:refcount_warn_saturate+0x80/0xe0 ... Call Trace: <TASK> mlx5_cmd_trigger_completions+0x293/0x340 [mlx5_core] mlx5_cmd_flush+0x3a/0xf0 [mlx5_core] enter_error_state+0x44/0x80 [mlx5_core] mlx5_fw_fatal_reporter_err_work+0x37/0xe0 [mlx5_core] process_one_work+0x1be/0x390 worker_thread+0x4d/0x3d0 ? rescuer_thread+0x350/0x350 kthread+0x141/0x160 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x1f/0x30 </TASK> En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5: Corregir una ejecución en el flujo de descarga de comandos. • https://git.kernel.org/stable/c/073fff8102062cd675170ceb54d90da22fe7e668 https://git.kernel.org/stable/c/50b2412b7e7862c5af0cbf4b10d93bc5c712d021 https://git.kernel.org/stable/c/da87ea137373689dec9d3fafa34a57787320a4b3 https://git.kernel.org/stable/c/1a4017926eeea56c7540cc41b42106746ee8a0ee https://git.kernel.org/stable/c/f3331bc17449f15832c31823f27573f4c0e13e5f https://git.kernel.org/stable/c/7c519f769f555ff7d9d4ccba3497bbb589df360a https://git.kernel.org/stable/c/0401bfb27a91d7bdd74b1635c1aae57cbb128da6 https://git.kernel.org/stable/c/063bd355595428750803d8736a9bb7c8d • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48857 – NFC: port100: fix use-after-free in port100_send_complete
https://notcve.org/view.php?id=CVE-2022-48857
In the Linux kernel, the following vulnerability has been resolved: NFC: port100: fix use-after-free in port100_send_complete Syzbot reported UAF in port100_send_complete(). The root case is in missing usb_kill_urb() calls on error handling path of ->probe function. port100_send_complete() accesses devm allocated memory which will be freed on probe failure. We should kill this urbs before returning an error from probe function to prevent reported use-after-free Fail log: BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 ... Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670 ... Allocated by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 alloc_dr drivers/base/devres.c:116 [inline] devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823 devm_kzalloc include/linux/device.h:209 [inline] port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502 Freed by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] __cache_free mm/slab.c:3437 [inline] kfree+0xf8/0x2b0 mm/slab.c:3794 release_nodes+0x112/0x1a0 drivers/base/devres.c:501 devres_release_all+0x114/0x190 drivers/base/devres.c:530 really_probe+0x626/0xcc0 drivers/base/dd.c:670 En el kernel de Linux, se resolvió la siguiente vulnerabilidad: NFC: puerto100: corrige use-after-free en port100_send_complete Syzbot informó UAF en port100_send_complete(). El caso raíz es que faltan llamadas usb_kill_urb() en la ruta de manejo de errores de ->función de sonda. port100_send_complete() accede a la memoria asignada por el desarrollador que se liberará en caso de falla de la sonda. Deberíamos eliminar estas urbs antes de devolver un error de la función de sonda para evitar el registro de errores de use-after-free: ERROR: KASAN: use-after-free en port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 Lectura de tamaño 1 en addr ffff88801bb59540 por tarea ksoftirqd/2/26... • https://git.kernel.org/stable/c/0347a6ab300a1532c298823408d6e51ccf4e4f45 https://git.kernel.org/stable/c/205c4ec78e71cbf561794e6043da80e7bae6790f https://git.kernel.org/stable/c/32e866ae5a7af590597ef4bcff8451bf96d5f980 https://git.kernel.org/stable/c/b1db33d4e54bc35d8db96ce143ea0ef92e23d58e https://git.kernel.org/stable/c/cd2a5c0da0d1ddf11d1f84e9c9b1949f50f6e161 https://git.kernel.org/stable/c/2b1c85f56512d49e43bc53741fce2f508cd90029 https://git.kernel.org/stable/c/0e721b8f2ee5e11376dd55363f9ccb539d754b8a https://git.kernel.org/stable/c/7194737e1be8fdc89d2a9382bd2f371f7 • CWE-416: Use After Free •