CVE-2022-50542
EUVD-2025-3201007.10.2025, 16:15
In the Linux kernel, the following vulnerability has been resolved:
media: si470x: Fix use-after-free in si470x_int_in_callback()
syzbot reported use-after-free in si470x_int_in_callback() [1]. This
indicates that urb->context, which contains struct si470x_device
object, is freed when si470x_int_in_callback() is called.
The cause of this issue is that si470x_int_in_callback() is called for
freed urb.
si470x_usb_driver_probe() calls si470x_start_usb(), which then calls
usb_submit_urb() and si470x_start(). If si470x_start_usb() fails,
si470x_usb_driver_probe() doesn't kill urb, but it just frees struct
si470x_device object, as depicted below:
si470x_usb_driver_probe()
...
si470x_start_usb()
...
usb_submit_urb()
retval = si470x_start()
return retval
if (retval < 0)
free struct si470x_device object, but don't kill urb
This patch fixes this issue by killing urb when si470x_start_usb()
fails and urb is submitted. If si470x_start_usb() fails and urb is
not submitted, i.e. submitting usb fails, it just frees struct
si470x_device object.EnginsightAffected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 3.6 ≤ 𝑥 < 4.9.337 |
| linux | linux_kernel | 4.10 ≤ 𝑥 < 4.14.303 |
| linux | linux_kernel | 4.15 ≤ 𝑥 < 4.19.270 |
| linux | linux_kernel | 4.20 ≤ 𝑥 < 5.4.229 |
| linux | linux_kernel | 5.5 ≤ 𝑥 < 5.10.163 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.86 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.0.16 |
| linux | linux_kernel | 6.1 ≤ 𝑥 < 6.1.2 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
References