CVE-2022-48921
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
sched/fair: Fix fault in reweight_entity
Syzbot found a GPF in reweight_entity. This has been bisected to commit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an invalid sched_task_group")
There is a race between sched_post_fork() and setpriority(PRIO_PGRP) within a thread group that causes a null-ptr-deref in reweight_entity() in CFS. The scenario is that the main process spawns number of new threads, which then call setpriority(PRIO_PGRP, 0, -20), wait, and exit. For each of the new threads the copy_process() gets invoked, which adds the new task_struct and calls sched_post_fork() for it.
In the above scenario there is a possibility that setpriority(PRIO_PGRP) and set_one_prio() will be called for a thread in the group that is just being created by copy_process(), and for which the sched_post_fork() has not been executed yet. This will trigger a null pointer dereference in reweight_entity(), as it will try to access the run queue pointer, which hasn't been set.
Before the mentioned change the cfs_rq pointer for the task has been set in sched_fork(), which is called much earlier in copy_process(), before the new task is added to the thread_group. Now it is done in the sched_post_fork(), which is called after that. To fix the issue the remove the update_load param from the update_load param() function and call reweight_task() only if the task flag doesn't have the TASK_NEW flag set.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | c85c6fadbef0a3eab41540ea628fa8fe8928c820 < 8f317cd888059c59e2fa924bf4b0957cfa53f78e | affected |
| Linux | Linux | 3869eecf050416a1d19bac60926f6b5d64b0aa58 < e0bcd6b5779352aed88f2e538a82a39f1a7715bb | affected |
| Linux | Linux | 4ef0c5c6b5ba1f38f0ea1cedad0cad722f00c14a < 589a954daab5e18399860b6c8ffaeaf79844eb20 | affected |
| Linux | Linux | 4ef0c5c6b5ba1f38f0ea1cedad0cad722f00c14a < 13765de8148f71fa795e0a6607de37c49ea5915a | affected |
| Linux | Linux | 25d40b828fb855ee62e1039c65a666c9afd60786 | affected |
| Linux | Linux | 5.10.80 < 5.10.137 | affected |
| Linux | Linux | 5.15.3 < 5.15.27 | affected |
| Linux | Linux | 5.14.19 < 5.15 | affected |
| Linux | Linux | 5.16 | affected |
| Linux | Linux | 0 < 5.16 | unaffected |
| Linux | Linux | 5.10.137 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.27 <= 5.15.* | unaffected |
| Linux | Linux | 5.16.13 <= 5.16.* | unaffected |
| Linux | Linux | 5.17 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/8f317cd888059c59e2fa924bf4b0957cfa53f78e
- https://git.kernel.org/stable/c/e0bcd6b5779352aed88f2e538a82a39f1a7715bb
- https://git.kernel.org/stable/c/589a954daab5e18399860b6c8ffaeaf79844eb20
- https://git.kernel.org/stable/c/13765de8148f71fa795e0a6607de37c49ea5915a
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.