nvd-json-data-feeds/CVE-2022/CVE-2022-495xx/CVE-2022-49530.json

{
  "id": "CVE-2022-49530",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2025-02-26T07:01:28.967",
  "lastModified": "2025-02-26T07:01:28.967",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix double free in si_parse_power_table()\n\nIn function si_parse_power_table(), array adev->pm.dpm.ps and its member\nis allocated. If the allocation of each member fails, the array itself\nis freed and returned with an error code. However, the array is later\nfreed again in si_dpm_fini() function which is called when the function\nreturns an error.\n\nThis leads to potential double free of the array adev->pm.dpm.ps, as\nwell as leak of its array members, since the members are not freed in\nthe allocation function and the array is not nulled when freed.\nIn addition adev->pm.dpm.num_ps, which keeps track of the allocated\narray member, is not updated until the member allocation is\nsuccessfully finished, this could also lead to either use after free,\nor uninitialized variable access in si_dpm_fini().\n\nFix this by postponing the free of the array until si_dpm_fini() and\nincrement adev->pm.dpm.num_ps everytime the array member is allocated."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/pm: se corrige la doble liberaci\u00f3n en si_parse_power_table() En la funci\u00f3n si_parse_power_table(), se asigna la matriz adev->pm.dpm.ps y su miembro. Si la asignaci\u00f3n de cada miembro falla, la matriz en s\u00ed se libera y se devuelve con un c\u00f3digo de error. Sin embargo, la matriz se libera m\u00e1s tarde nuevamente en la funci\u00f3n si_dpm_fini() que se llama cuando la funci\u00f3n devuelve un error. Esto conduce a una posible doble liberaci\u00f3n de la matriz adev->pm.dpm.ps, as\u00ed como a la fuga de sus miembros de matriz, ya que los miembros no se liberan en la funci\u00f3n de asignaci\u00f3n y la matriz no se anula cuando se libera. Adem\u00e1s, adev->pm.dpm.num_ps, que realiza un seguimiento del miembro de la matriz asignado, no se actualiza hasta que la asignaci\u00f3n del miembro finaliza correctamente, esto tambi\u00e9n podr\u00eda conducir al use-after-free o al acceso a variables no inicializadas en si_dpm_fini(). Solucione esto posponiendo la liberaci\u00f3n de la matriz hasta si_dpm_fini() e incremente adev->pm.dpm.num_ps cada vez que se asigne el miembro de la matriz."
    }
  ],
  "metrics": {},
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/2615464854505188f909d0c07c37a6623693b5c7",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/43eb9b667b95f2a31c63e8949b0d2161b9be59c3",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/6c5bdaa1325be7f04b79ea992ab216739192d342",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/a5ce7051db044290b1a95045ff03c249005a3aa4",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/af832028af6f44c6c45645757079c4ed6884ade5",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/c0e811c4ccf3b42705976285e3a94cc82dea7300",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/ca1ce206894dd976275c78ee38dbc19873f22de9",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/f3fa2becf2fc25b6ac7cf8d8b1a2e4a86b3b72bd",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/fd2eff8b9dcbe469c3b7bbbc7083ab5ed94de07b",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ]
}