CVE-2022-48988
21.10.2024, 20:15
In the Linux kernel, the following vulnerability has been resolved:
memcg: fix possible use-after-free in memcg_write_event_control()
memcg_write_event_control() accesses the dentry->d_name of the specified
control fd to route the write call. As a cgroup interface file can't be
renamed, it's safe to access d_name as long as the specified file is a
regular cgroup file. Also, as these cgroup interface files can't be
removed before the directory, it's safe to access the parent too.
Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a
call to __file_cft() which verified that the specified file is a regular
cgroupfs file before further accesses. The cftype pointer returned from
__file_cft() was no longer necessary and the commit inadvertently dropped
the file type check with it allowing any file to slip through. With the
invarients broken, the d_name and parent accesses can now race against
renames and removals of arbitrary files and cause use-after-free's.
Fix the bug by resurrecting the file type check in __file_cft(). Now that
cgroupfs is implemented through kernfs, checking the file operations needs
to go through a layer of indirection. Instead, let's check the superblock
and dentry type.Enginsight| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 3.14 ≤ 𝑥 < 4.14.302 |
| linux | linux_kernel | 4.15 ≤ 𝑥 < 4.19.269 |
| linux | linux_kernel | 4.20 ≤ 𝑥 < 5.4.227 |
| linux | linux_kernel | 5.5 ≤ 𝑥 < 5.10.159 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.83 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.0.13 |
| linux | linux_kernel | 6.1:rc1 |
| linux | linux_kernel | 6.1:rc2 |
| linux | linux_kernel | 6.1:rc3 |
| linux | linux_kernel | 6.1:rc4 |
| linux | linux_kernel | 6.1:rc5 |
| linux | linux_kernel | 6.1:rc6 |
| linux | linux_kernel | 6.1:rc7 |
| linux | linux_kernel | 6.1:rc8 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration
References