CVE-2022-49203

{"id": "CVE-2022-49203", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:00:57.357", "references": [{"url": "https://git.kernel.org/stable/c/32685b32d825ca08c5dec826477332df886c4743", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bbfcdd6289ba6f00f0cd7d496946dce9f6c600ac", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-415"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix double free during GPU reset on DC streams\n\n[Why]\nThe issue only occurs during the GPU reset code path.\n\nWe first backup the current state prior to commiting 0 streams\ninternally from DM to DC. This state backup contains valid link\nencoder assignments.\n\nDC will clear the link encoder assignments as part of current state\n(but not the backup, since it was a copied before the commit) and\nfree the extra stream reference it held.\n\nDC requires that the link encoder assignments remain cleared/invalid\nprior to commiting. Since the backup still has valid assignments we\ncall the interface post reset to clear them. This routine also\nreleases the extra reference that the link encoder interface held -\nresulting in a double free (and eventually a NULL pointer dereference).\n\n[How]\nWe'll have to do a full DC commit anyway after GPU reset because\nthe stream count previously went to 0.\n\nWe don't need to retain the assignment that we had backed up, so\njust copy off of the now clean current state assignment after the\nreset has occcurred with the new link_enc_cfg_copy() interface."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: Arreglar doble liberaci\u00f3n durante el reinicio de la GPU en flujos de DC [Por qu\u00e9] El problema solo ocurre durante la ruta del c\u00f3digo de reinicio de la GPU. Primero hacemos una copia de seguridad del estado actual antes de confirmar 0 flujos internamente desde DM a DC. Esta copia de seguridad del estado contiene asignaciones de codificador de enlace v\u00e1lidas. DC borrar\u00e1 las asignaciones de codificador de enlace como parte del estado actual (pero no la copia de seguridad, ya que se copi\u00f3 antes de el commit) y liberar\u00e1 la referencia de flujo adicional que ten\u00eda. DC requiere que las asignaciones de codificador de enlace permanezcan borradas/inv\u00e1lidas antes de el commit. Dado que la copia de seguridad a\u00fan tiene asignaciones v\u00e1lidas, llamamos a la interfaz post reset para borrarlas. Esta rutina tambi\u00e9n libera la referencia adicional que ten\u00eda la interfaz de codificador de enlace, lo que da como resultado una doble liberaci\u00f3n (y eventualmente una desreferencia de puntero NULL). [C\u00f3mo] Tendremos que hacer una confirmaci\u00f3n de DC completa de todos modos despu\u00e9s de reiniciar la GPU porque el conteo de transmisiones anteriormente lleg\u00f3 a 0. No necesitamos conservar la asignaci\u00f3n que hab\u00edamos respaldado, as\u00ed que simplemente copiamos la asignaci\u00f3n del estado actual ahora limpio despu\u00e9s de que se haya producido el reinicio con la nueva interfaz link_enc_cfg_copy()."}], "lastModified": "2025-03-18T20:12:03.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "210C679C-CF84-44A3-8939-E629C87E54BF", "versionEndExcluding": "5.17.2", "versionStartIncluding": "5.17"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}