CVE-2022-49524

EUVD-2022-54706

26.02.2025, 07:01

In the Linux kernel, the following vulnerability has been resolved:

media: pci: cx23885: Fix the error handling in cx23885_initdev()

When the driver fails to call the dma_set_mask(), the driver will get
the following splat:

[   55.853884] BUG: KASAN: use-after-free in __process_removed_driver+0x3c/0x240
[   55.854486] Read of size 8 at addr ffff88810de60408 by task modprobe/590
[   55.856822] Call Trace:
[   55.860327]  __process_removed_driver+0x3c/0x240
[   55.861347]  bus_for_each_dev+0x102/0x160
[   55.861681]  i2c_del_driver+0x2f/0x50

This is because the driver has initialized the i2c related resources
in cx23885_dev_setup() but not released them in error handling, fix this
bug by modifying the error path that jumps after failing to call the
dma_set_mask().

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 21%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	𝑥 < 4.14.283
linux	linux_kernel	4.15 ≤ 𝑥 < 4.19.247
linux	linux_kernel	4.20 ≤ 𝑥 < 5.4.198
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.121
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.46
linux	linux_kernel	5.16 ≤ 𝑥 < 5.17.14
linux	linux_kernel	5.18 ≤ 𝑥 < 5.18.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.123-1 fixed
bookworm (security)	6.1.128-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.234-1 fixed
sid	6.12.16-1 fixed
trixie	6.12.12-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

dlm-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

gfs2-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-64kb

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-default-base

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1.150300.18.120.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1.150400.24.78.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1.150500.6.47.1 fixed

kernel-default-man

suse enterprise server 12 SP5

4.12.14-122.255.1

fixed

kernel-docs

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-macros

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-obs-build

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-preempt

suse enterprise server 15 SP3

5.3.18-150300.59.201.1

fixed

kernel-source

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-syms

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-zfcpdump

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

ocfs2-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

reiserfs-kmp-default

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://git.kernel.org/stable/c/453514a874c78df1e7804e6e3aaa60c8d8deb6a8

https://git.kernel.org/stable/c/6041d1a0365baa729b6adfb6ed5386d9388018db

https://git.kernel.org/stable/c/7b9978e1c94e569d65a0e7e719abb9340f5db4a0

https://git.kernel.org/stable/c/86bd6a579c6c60547706cabf299cd2c9feab3332

https://git.kernel.org/stable/c/98106f100f50c487469903b9cf6d966785fc9cc3

https://git.kernel.org/stable/c/ca17e7a532d1a55466cc007b3f4d319541a27493

https://git.kernel.org/stable/c/e8123311cf06d7dae71e8c5fe78e0510d20cd30b

https://git.kernel.org/stable/c/fa636e9ee4442215cd9a2e079cd5a8e1fe0cb8ba