CVE-2022-49530 in Linuxinfo

Summary

by MITRE • 02/26/2025

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/pm: fix double free in si_parse_power_table()

In function si_parse_power_table(), array adev->pm.dpm.ps and its member is allocated. If the allocation of each member fails, the array itself is freed and returned with an error code. However, the array is later freed again in si_dpm_fini() function which is called when the function returns an error.

This leads to potential double free of the array adev->pm.dpm.ps, as well as leak of its array members, since the members are not freed in the allocation function and the array is not nulled when freed. In addition adev->pm.dpm.num_ps, which keeps track of the allocated array member, is not updated until the member allocation is successfully finished, this could also lead to either use after free, or uninitialized variable access in si_dpm_fini().

Fix this by postponing the free of the array until si_dpm_fini() and increment adev->pm.dpm.num_ps everytime the array member is allocated.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/17/2025

The vulnerability identified as CVE-2022-49530 resides within the Linux kernel's AMD display driver subsystem, specifically in the power management component responsible for handling graphics processing unit power states. This issue manifests in the drm/amd/pm subsystem where the si_parse_power_table() function manages dynamic power state arrays for AMD graphics hardware. The flaw represents a classic double free vulnerability that can lead to system instability and potential security implications within kernel space operations.

The technical implementation of this vulnerability stems from improper memory management practices within the power table parsing function. When si_parse_power_table() attempts to allocate memory for the array adev->pm.dpm.ps and its individual members, the code correctly identifies allocation failures and frees the entire array before returning an error. However, the function si_dpm_fini() which is called during error handling also attempts to free the same array, creating a double free scenario. This occurs because the array members are allocated individually and their individual deallocation is not handled within the allocation function, while the main array pointer is freed in two separate code paths.

The memory management inconsistency extends beyond the immediate double free condition to include potential use-after-free scenarios and uninitialized variable access. The variable adev->pm.dpm.num_ps, which tracks the number of successfully allocated array members, is only updated upon successful completion of each member allocation. This means that when allocation failures occur, the counter remains in an inconsistent state, leading to either accessing freed memory locations or operating on uninitialized data structures during the cleanup phase in si_dpm_fini(). Such behavior creates opportunities for memory corruption that can be exploited to compromise system integrity.

This vulnerability aligns with CWE-415: Double Free and CWE-416: Use After Free categories within the Common Weakness Enumeration framework, representing a critical memory safety issue in kernel-level code. The attack surface is particularly concerning as it affects the display power management subsystem which operates with elevated privileges and can potentially be leveraged by malicious actors to cause system crashes or, in more sophisticated scenarios, achieve privilege escalation. The issue demonstrates poor defensive programming practices where proper resource tracking and cleanup mechanisms are not implemented consistently throughout the codebase, violating fundamental principles of secure memory management.

The operational impact of this vulnerability extends to systems utilizing AMD graphics hardware running affected Linux kernel versions, particularly those implementing dynamic power management features. The double free condition could result in kernel panics, system crashes, or denial of service conditions that would affect graphics rendering capabilities and overall system stability. While direct exploitation for privilege escalation appears challenging due to kernel security mitigations, the memory corruption potential remains significant for attackers seeking to destabilize systems or create conditions for more sophisticated attacks. The fix implemented in the kernel addresses the core issue by adjusting the memory management flow to ensure proper resource tracking and single-point deallocation, thereby preventing both the double free condition and the associated use-after-free scenarios that could compromise system integrity.

Responsible

Linux

Reservation

02/26/2025

Disclosure

02/26/2025

Moderation

accepted

CPE

ready

EPSS

0.00260

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!