CVE-2022-49478: 
Linux Kernel vulnerability analysis and mitigation

In the Linux kernel, a vulnerability (CVE-2022-49478) was discovered in the pvrusb2 driver's array indexing functionality. The issue was identified in the pvr2i2ccoreinit function where -1 is used as an array index. The vulnerability stems from a missing validation check, where hdw->unitnumber is initialized with -1 and remains unchanged if the init table walk fails, leading to potential array-index-out-of-bounds access (Kernel Git).

The vulnerability occurs in the Linux kernel's media subsystem, specifically in the pvrusb2 driver. The issue arises when the code blindly uses hdw->unitnumber for array indexing without proper validation. The problem was discovered by Syzbot, which reported the -1 array index usage. The fix involved adding a sanity check to validate hdw->unitnumber before its use and moving the hdw->workpoll initialization earlier in the code to prevent warnings in _flushwork (Kernel Git).

An array-index-out-of-bounds condition could lead to memory corruption or system crashes when using the affected pvrusb2 driver. This vulnerability has existed since the introduction of the pvrusb2 driver to the kernel with commit d855497edbfb (Kernel Git).

The vulnerability has been fixed by adding a validation check for hdw->unit_number before its use as an array index. The fix also includes moving the hdw->workpoll initialization to prevent warnings. Users should update their Linux kernel to a version containing the fix (Kernel Git).