Cyber Posture

CVE-2022-49530

High

Published: 26 February 2025

Published
26 February 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: fix double free in si_parse_power_table() In function si_parse_power_table(), array adev->pm.dpm.ps and its member is allocated. If the allocation of each member fails, the array itself is freed and returned with an error code. However, the array is later freed again in si_dpm_fini() function which is called when the function returns an error. This leads to potential double free of the array adev->pm.dpm.ps, as well as leak of its array members, since the members are not freed in the allocation function and the array is not nulled when freed. In addition adev->pm.dpm.num_ps, which keeps track of the allocated array member, is not updated until the member allocation is successfully finished, this could also lead to either use after free, or uninitialized variable access in si_dpm_fini(). Fix this by postponing the free of the array until si_dpm_fini() and increment adev->pm.dpm.num_ps everytime the array member is allocated.

Security Summary

CVE-2022-49530 is a double free vulnerability in the Linux kernel's DRM/AMD power management subsystem, specifically within the si_parse_power_table() function. The flaw occurs during allocation of the array adev->pm.dpm.ps and its members; if a member allocation fails, the array is freed and an error is returned, but the array is freed again in the si_dpm_fini() function. This results in a double free of the array, along with potential memory leaks of array members (which are not freed), and risks of use-after-free or uninitialized access due to adev->pm.dpm.num_ps not being updated until successful allocation.

A local attacker with low privileges can exploit this vulnerability (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 7.8; CWE-415). By triggering the power table parsing code path, such as during AMD GPU initialization or related operations, the attacker can induce the double free and associated memory corruptions, potentially leading to high-impact confidentiality, integrity, and availability violations, including system crashes, data leaks, or privilege escalation.

Mitigation is provided through Linux kernel stable patches, as detailed in the referenced commits (e.g., https://git.kernel.org/stable/c/2615464854505188f909d0c07c37a6623693b5c7 and others). These fixes postpone the array free until si_dpm_fini(), ensure array members are properly managed, and increment adev->pm.dpm.num_ps only after successful allocations, preventing the double free, leaks, and related issues. Affected systems should update to kernels incorporating these commits.

Details

CWE(s)
CWE-415

Affected Products

linux
linux kernel
≤ 4.9.318 · 4.10 — 4.14.283 · 4.15 — 4.19.247

References