CVE-2022-49741

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49741
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49741.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49741
Related
Published
2025-03-27T17:15:38Z
Modified
2025-04-14T22:50:41.158825Z
Downstream
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

fbdev: smscufx: fix error handling code in ufxusbprobe

The current error handling code in ufxusbprobe have many unmatching issues, e.g., missing ufxfreeusblist, destroymodedb label should only include framebufferrelease, fbdealloccmap only matches fballoc_cmap.

My local syzkaller reports a memory leak bug:

memory leak in ufxusbprobe

BUG: memory leak unreferenced object 0xffff88802f879580 (size 128): comm "kworker/0:7", pid 17416, jiffies 4295067474 (age 46.710s) hex dump (first 32 bytes): 80 21 7c 2e 80 88 ff ff 18 d0 d0 0c 80 88 ff ff .!|............. 00 d0 d0 0c 80 88 ff ff e0 ff ff ff 0f 00 00 00 ................ backtrace: [<ffffffff814c99a0>] kmalloctrace+0x20/0x90 mm/slabcommon.c:1045 [<ffffffff824d219c>] kmalloc include/linux/slab.h:553 [inline] [<ffffffff824d219c>] kzalloc include/linux/slab.h:689 [inline] [<ffffffff824d219c>] ufxallocurblist drivers/video/fbdev/smscufx.c:1873 [inline] [<ffffffff824d219c>] ufxusbprobe+0x11c/0x15a0 drivers/video/fbdev/smscufx.c:1655 [<ffffffff82d17927>] usbprobeinterface+0x177/0x370 drivers/usb/core/driver.c:396 [<ffffffff82712f0d>] calldriverprobe drivers/base/dd.c:560 [inline] [<ffffffff82712f0d>] reallyprobe+0x12d/0x390 drivers/base/dd.c:639 [<ffffffff8271322f>] _driverprobedevice+0xbf/0x140 drivers/base/dd.c:778 [<ffffffff827132da>] driverprobedevice+0x2a/0x120 drivers/base/dd.c:808 [<ffffffff82713c27>] _deviceattachdriver+0xf7/0x150 drivers/base/dd.c:936 [<ffffffff82710137>] busforeachdrv+0xb7/0x100 drivers/base/bus.c:427 [<ffffffff827136b5>] _deviceattach+0x105/0x2d0 drivers/base/dd.c:1008 [<ffffffff82711d36>] busprobedevice+0xc6/0xe0 drivers/base/bus.c:487 [<ffffffff8270e242>] deviceadd+0x642/0xdc0 drivers/base/core.c:3517 [<ffffffff82d14d5f>] usbsetconfiguration+0x8ef/0xb80 drivers/usb/core/message.c:2170 [<ffffffff82d2576c>] usbgenericdriverprobe+0x8c/0xc0 drivers/usb/core/generic.c:238 [<ffffffff82d16ffc>] usbprobedevice+0x5c/0x140 drivers/usb/core/driver.c:293 [<ffffffff82712f0d>] calldriverprobe drivers/base/dd.c:560 [inline] [<ffffffff82712f0d>] reallyprobe+0x12d/0x390 drivers/base/dd.c:639 [<ffffffff8271322f>] _driverprobe_device+0xbf/0x140 drivers/base/dd.c:778

Fix this bug by rewriting the error handling code in ufxusbprobe.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.178-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}