CVE-2022-48927

In the Linux kernel, the following vulnerability has been resolved: iio: adc: tsc2046: fix memory corruption by preventing array overflow On one side we have indio_dev->num_channels includes all physical channels + timestamp channel. On other side we have an array allocated only for physical channels. So, fix memory corruption by ARRAY_SIZE() instead of num_channels variable. Note the first case is a cleanup rather than a fix as the software timestamp channel bit in active_scanmask is never set by the IIO core.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/082d2c047b0d305bb0b6e9f9d671a09470e2db2d	Patch
https://git.kernel.org/stable/c/0cb9b2f73c182d242a640e512f4785c7c504512f	Patch
https://git.kernel.org/stable/c/b7a78a8adaa8849c02f174d707aead0f85dca0da	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2024-08-22 04:15

Updated : 2024-08-23 02:05

NVD link : CVE-2022-48927

Mitre link : CVE-2022-48927

CVE.ORG link : CVE-2022-48927

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2022-48927", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-08-22T04:15:15.530", "references": [{"url": "https://git.kernel.org/stable/c/082d2c047b0d305bb0b6e9f9d671a09470e2db2d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0cb9b2f73c182d242a640e512f4785c7c504512f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b7a78a8adaa8849c02f174d707aead0f85dca0da", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: adc: tsc2046: fix memory corruption by preventing array overflow\n\nOn one side we have indio_dev->num_channels includes all physical channels +\ntimestamp channel. On other side we have an array allocated only for\nphysical channels. So, fix memory corruption by ARRAY_SIZE() instead of\nnum_channels variable.\n\nNote the first case is a cleanup rather than a fix as the software\ntimestamp channel bit in active_scanmask is never set by the IIO core."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iio: adc: tsc2046: corrige la corrupci\u00f3n de la memoria evitando el desbordamiento de la matriz. Por un lado tenemos indio_dev->num_channels incluye todos los canales f\u00edsicos + canal de marca de tiempo. Del otro lado tenemos un array asignado s\u00f3lo para canales f\u00edsicos. Por lo tanto, corrija la corrupci\u00f3n de la memoria con ARRAY_SIZE() en lugar de la variable num_channels. Tenga en cuenta que el primer caso es una limpieza en lugar de una soluci\u00f3n, ya que el n\u00facleo IIO nunca establece el bit del canal de marca de tiempo del software en active_scanmask."}], "lastModified": "2024-08-23T02:05:45.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C4549DFF-A0BC-4C08-B874-F0090921E478", "versionEndExcluding": "5.15.26", "versionStartIncluding": "5.14"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C76BAB21-7F23-4AD8-A25F-CA7B262A2698", "versionEndExcluding": "5.16.12", "versionStartIncluding": "5.16"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}