{
  "id": "CVE-2022-49530",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2025-02-26T07:01:28.967",
  "lastModified": "2025-03-10T21:15:50.760",
  "vulnStatus": "Analyzed",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: fix double free in si_parse_power_table()\n\nIn function si_parse_power_table(), array adev->pm.dpm.ps and its member\nis allocated. If the allocation of each member fails, the array itself\nis freed and returned with an error code. However, the array is later\nfreed again in si_dpm_fini() function which is called when the function\nreturns an error.\n\nThis leads to potential double free of the array adev->pm.dpm.ps, as\nwell as leak of its array members, since the members are not freed in\nthe allocation function and the array is not nulled when freed.\nIn addition adev->pm.dpm.num_ps, which keeps track of the allocated\narray member, is not updated until the member allocation is\nsuccessfully finished, this could also lead to either use after free,\nor uninitialized variable access in si_dpm_fini().\n\nFix this by postponing the free of the array until si_dpm_fini() and\nincrement adev->pm.dpm.num_ps everytime the array member is allocated."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/pm: se corrige la doble liberaci\u00f3n en si_parse_power_table() En la funci\u00f3n si_parse_power_table(), se asigna la matriz adev->pm.dpm.ps y su miembro. Si la asignaci\u00f3n de cada miembro falla, la matriz en s\u00ed se libera y se devuelve con un c\u00f3digo de error. Sin embargo, la matriz se libera m\u00e1s tarde nuevamente en la funci\u00f3n si_dpm_fini() que se llama cuando la funci\u00f3n devuelve un error. Esto conduce a una posible doble liberaci\u00f3n de la matriz adev->pm.dpm.ps, as\u00ed como a la fuga de sus miembros de matriz, ya que los miembros no se liberan en la funci\u00f3n de asignaci\u00f3n y la matriz no se anula cuando se libera. Adem\u00e1s, adev->pm.dpm.num_ps, que realiza un seguimiento del miembro de la matriz asignado, no se actualiza hasta que la asignaci\u00f3n del miembro finaliza correctamente, esto tambi\u00e9n podr\u00eda conducir al use-after-free o al acceso a variables no inicializadas en si_dpm_fini(). Solucione esto posponiendo la liberaci\u00f3n de la matriz hasta si_dpm_fini() e incremente adev->pm.dpm.num_ps cada vez que se asigne el miembro de la matriz."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-415"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "4.9.318",
              "matchCriteriaId": "0D4D4067-974D-4560-8320-22FDA399E3F9"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "4.10",
              "versionEndExcluding": "4.14.283",
              "matchCriteriaId": "D6823775-2653-4644-A0D4-4E6E68F10C65"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "4.15",
              "versionEndExcluding": "4.19.247",
              "matchCriteriaId": "B8CFA0F4-2D75-41F4-9753-87944A08B53B"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "4.20",
              "versionEndExcluding": "5.4.198",
              "matchCriteriaId": "3EC49633-14DE-4EBD-BB80-76AE2E3EABB9"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "5.5",
              "versionEndExcluding": "5.10.121",
              "matchCriteriaId": "34ACD872-E5BC-401C-93D5-B357A62426E0"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "5.11",
              "versionEndExcluding": "5.15.46",
              "matchCriteriaId": "20D41697-0E8B-4B7D-8842-F17BF2AA21E1"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "5.16",
              "versionEndExcluding": "5.17.14",
              "matchCriteriaId": "15E2DD33-2255-4B76-9C15-04FF8CBAB252"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "5.18",
              "versionEndExcluding": "5.18.3",
              "matchCriteriaId": "8E122216-2E9E-4B3E-B7B8-D575A45BA3C2"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/2615464854505188f909d0c07c37a6623693b5c7",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/43eb9b667b95f2a31c63e8949b0d2161b9be59c3",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/6c5bdaa1325be7f04b79ea992ab216739192d342",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/a5ce7051db044290b1a95045ff03c249005a3aa4",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/af832028af6f44c6c45645757079c4ed6884ade5",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/c0e811c4ccf3b42705976285e3a94cc82dea7300",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/ca1ce206894dd976275c78ee38dbc19873f22de9",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/f3fa2becf2fc25b6ac7cf8d8b1a2e4a86b3b72bd",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/fd2eff8b9dcbe469c3b7bbbc7083ab5ed94de07b",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    }
  ]
}