CVE-2022-48988
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
memcg: fix possible use-after-free in memcg_write_event_control()
memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too.
Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's.
Fix the bug by resurrecting the file type check in __file_cft(). Now that cgroupfs is implemented through kernfs, checking the file operations needs to go through a layer of indirection. Instead, let's check the superblock and dentry type.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 347c4a8747104a945ecced358944e42879176ca5 < b77600e26fd48727a95ffd50ba1e937efb548125 | affected |
| Linux | Linux | 347c4a8747104a945ecced358944e42879176ca5 < e1ae97624ecf400ea56c238bff23e5cd139df0b8 | affected |
| Linux | Linux | 347c4a8747104a945ecced358944e42879176ca5 < 35963b31821920908e397146502066f6b032c917 | affected |
| Linux | Linux | 347c4a8747104a945ecced358944e42879176ca5 < f1f7f36cf682fa59db15e2089039a2eeb58ff2ad | affected |
| Linux | Linux | 347c4a8747104a945ecced358944e42879176ca5 < aad8bbd17a1d586005feb9226c2e9cfce1432e13 | affected |
| Linux | Linux | 347c4a8747104a945ecced358944e42879176ca5 < 0ed074317b835caa6c03bcfa8f133365324673dc | affected |
| Linux | Linux | 347c4a8747104a945ecced358944e42879176ca5 < 4a7ba45b1a435e7097ca0f79a847d0949d0eb088 | affected |
| Linux | Linux | 3.14 | affected |
| Linux | Linux | 0 < 3.14 | unaffected |
| Linux | Linux | 4.14.302 <= 4.14.* | unaffected |
| Linux | Linux | 4.19.269 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.227 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.159 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.83 <= 5.15.* | unaffected |
| Linux | Linux | 6.0.13 <= 6.0.* | unaffected |
| Linux | Linux | 6.1 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/b77600e26fd48727a95ffd50ba1e937efb548125
- https://git.kernel.org/stable/c/e1ae97624ecf400ea56c238bff23e5cd139df0b8
- https://git.kernel.org/stable/c/35963b31821920908e397146502066f6b032c917
- https://git.kernel.org/stable/c/f1f7f36cf682fa59db15e2089039a2eeb58ff2ad
- https://git.kernel.org/stable/c/aad8bbd17a1d586005feb9226c2e9cfce1432e13
- https://git.kernel.org/stable/c/0ed074317b835caa6c03bcfa8f133365324673dc
- https://git.kernel.org/stable/c/4a7ba45b1a435e7097ca0f79a847d0949d0eb088
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.