CVE-2022-48973

Summary

In the Linux kernel, the following vulnerability has been resolved:

gpio: amd8111: Fix PCI device reference count leak

for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL.

If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL input parameter, there is no problem for the 'Device not found' branch. For the normal path, add pci_dev_put() in amd_gpio_exit().

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxf942a7de047d8c599cc1a9a26293c8c7400450ea < 4749c5cc147c9860b96db1e71cc36d1de1bd3f59affected
LinuxLinuxf942a7de047d8c599cc1a9a26293c8c7400450ea < 71d591ef873f9ebb86cd8d053b3caee785b2de6aaffected
LinuxLinuxf942a7de047d8c599cc1a9a26293c8c7400450ea < b2bc053ebbba57a06fa655db5ea796de2edce445affected
LinuxLinuxf942a7de047d8c599cc1a9a26293c8c7400450ea < 48bd5d3801f6b67cc144449d434abbd5043a6d37affected
LinuxLinuxf942a7de047d8c599cc1a9a26293c8c7400450ea < 5ee6413d3dd972930af787b2c0c7aaeb379fa521affected
LinuxLinuxf942a7de047d8c599cc1a9a26293c8c7400450ea < 4271515f189bd5fe2ec86b4089dab7cb804625d2affected
LinuxLinuxf942a7de047d8c599cc1a9a26293c8c7400450ea < e364ce04d8f840478b09eee57b614de7cf1e743eaffected
LinuxLinuxf942a7de047d8c599cc1a9a26293c8c7400450ea < 45fecdb9f658d9c82960c98240bc0770ade19acaaffected
LinuxLinux3.6affected
LinuxLinux0 < 3.6unaffected
LinuxLinux4.9.336 <= 4.9.*unaffected
LinuxLinux4.14.302 <= 4.14.*unaffected
LinuxLinux4.19.269 <= 4.19.*unaffected
LinuxLinux5.4.227 <= 5.4.*unaffected
LinuxLinux5.10.159 <= 5.10.*unaffected
LinuxLinux5.15.83 <= 5.15.*unaffected
LinuxLinux6.0.13 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References