CVE-2022-49436

Right now 'char *' elements allocated for individual 'statid' in 'paprscmpriv.nvdimmeventsmap[]' during paprscmpmucheckevents(), get leaked in paprscmremove() and paprscmpmuregister(), paprscmpmucheckevents() error paths.

Also individual 'statid' arent NULL terminated 'char *' instead they are fixed 8-byte sized identifiers. However paprscmpmuregister() assumes it to be a NULL terminated 'char *' and at other places it assumes it to be a 'paprscmperfstat.statid' sized string which is 8-byes in size.

Fix this by allocating the memory for paprscmpriv.nvdimmeventsmap to also include space for 'statid' entries. This is possible since number of available events/statids are known upfront. This saves some memory and one extra level of indirection from 'nvdimmeventsmap' to 'statid'. Also rest of the code can continue to call 'kfree(paprscmpriv.nvdimmevents_map)' without needing to iterate over the array and free up individual elements.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4c08d4bbc089a95f3f38389c2b79dbc6ab24f10b

Fixed

b073096df4dec70d0436321b7093bad27ae91f9e

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4c08d4bbc089a95f3f38389c2b79dbc6ab24f10b

Fixed

0e0946e22f3665d27325d389ff45ade6e93f3678

Affected versions

v5.*

v5.17

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.18.1

v5.18.2

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.18.0

Fixed

5.18.3