CVE-2022-49647

EUVD-2022-54585

26.02.2025, 07:01

In the Linux kernel, the following vulnerability has been resolved:

cgroup: Use separate src/dst nodes when preloading css_sets for migration

Each cset (css_set) is pinned by its tasks. When we're moving tasks around
across csets for a migration, we need to hold the source and destination
csets to ensure that they don't go away while we're moving tasks about. This
is done by linking cset->mg_preload_node on either the
mgctx->preloaded_src_csets or mgctx->preloaded_dst_csets list. Using the
same cset->mg_preload_node for both the src and dst lists was deemed okay as
a cset can't be both the source and destination at the same time.

Unfortunately, this overloading becomes problematic when multiple tasks are
involved in a migration and some of them are identity noop migrations while
others are actually moving across cgroups. For example, this can happen with
the following sequence on cgroup1:

 #1> mkdir -p /sys/fs/cgroup/misc/a/b
 #2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs
 #3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS &
 #4> PID=$!
 #5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks
 #6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs

the process including the group leader back into a. In this final migration,
non-leader threads would be doing identity migration while the group leader
is doing an actual one.

After #3, let's say the whole process was in cset A, and that after #4, the
leader moves to cset B. Then, during #6, the following happens:

 1. cgroup_migrate_add_src() is called on B for the leader.

 2. cgroup_migrate_add_src() is called on A for the other threads.

 3. cgroup_migrate_prepare_dst() is called. It scans the src list.

 4. It notices that B wants to migrate to A, so it tries to A to the dst
    list but realizes that its ->mg_preload_node is already busy.

 5. and then it notices A wants to migrate to A as it's an identity
    migration, it culls it by list_del_init()'ing its ->mg_preload_node and
    putting references accordingly.

 6. The rest of migration takes place with B on the src list but nothing on
    the dst list.

This means that A isn't held while migration is in progress. If all tasks
leave A before the migration finishes and the incoming task pins it, the
cset will be destroyed leading to use-after-free.

This is caused by overloading cset->mg_preload_node for both src and dst
preload lists. We wanted to exclude the cset from the src list but ended up
inadvertently excluding it from the dst list too.

This patch fixes the issue by separating out cset->mg_preload_node into
->mg_src_preload_node and ->mg_dst_preload_node, so that the src and dst
preloadings don't interfere with each other.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	3.16 ≤ 𝑥 < 4.14.289
linux	linux_kernel	4.15 ≤ 𝑥 < 4.19.253
linux	linux_kernel	4.20 ≤ 𝑥 < 5.4.207
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.132
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.56
linux	linux_kernel	5.16 ≤ 𝑥 < 5.18.13
linux	linux_kernel	5.19:rc1
linux	linux_kernel	5.19:rc2
linux	linux_kernel	5.19:rc3
linux	linux_kernel	5.19:rc4
linux	linux_kernel	5.19:rc5
linux	linux_kernel	5.19:rc6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.123-1 fixed
bookworm (security)	6.1.128-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.234-1 fixed
sid	6.12.16-1 fixed
trixie	6.12.12-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

dlm-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

gfs2-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-64kb

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-default-base

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1.150300.18.120.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1.150400.24.78.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1.150500.6.47.1 fixed

kernel-default-man

suse enterprise server 12 SP5

4.12.14-122.255.1

fixed

kernel-docs

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-macros

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-obs-build

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-preempt

suse enterprise server 15 SP3

5.3.18-150300.59.201.1

fixed

kernel-source

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-syms

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-zfcpdump

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

ocfs2-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

reiserfs-kmp-default

suse enterprise server 15 SP3	5.3.18-150300.59.201.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

bpftool

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:7.0.0-284.11.1.el9_2 fixed

kernel

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-64k

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-64k-core

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-64k-debug

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-64k-debug-core

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-64k-debug-devel

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-64k-debug-devel-matched

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-64k-debug-modules

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-64k-debug-modules-core

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-64k-debug-modules-extra

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-64k-devel

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-64k-devel-matched

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-64k-modules

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-64k-modules-core

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-64k-modules-extra

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-abi-stablelists

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-core

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-debug

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-debug-core

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-debug-devel

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-debug-devel-matched

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-debug-modules

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-debug-modules-core

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-debug-modules-extra

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-debug-uki-virt

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-devel

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-devel-matched

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-doc

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-modules

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-modules-core

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-modules-extra

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-tools

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-tools-libs

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-tools-libs-devel

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-uki-virt

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-zfcpdump

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-zfcpdump-core

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-zfcpdump-devel

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-zfcpdump-devel-matched

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-zfcpdump-modules

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

kernel-zfcpdump-modules-core

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

kernel-zfcpdump-modules-extra

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

perf

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

python3-perf

RHEL 8	0:4.18.0-513.5.1.el8_9 fixed
RHEL 9	0:5.14.0-284.11.1.el9_2 fixed

rtla

RHEL 9

0:5.14.0-284.11.1.el9_2

fixed

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://git.kernel.org/stable/c/05f7658210d1d331e8dd4cb6e7bbbe3df5f5ac27

https://git.kernel.org/stable/c/07fd5b6cdf3cc30bfde8fe0f644771688be04447

https://git.kernel.org/stable/c/0e41774b564befa6d271e8d5086bf870d617a4e6

https://git.kernel.org/stable/c/54aee4e5ce8c21555286a6333e46c1713880cf93

https://git.kernel.org/stable/c/7657e3958535d101a24ab4400f9b8062b9107cc4

https://git.kernel.org/stable/c/ad44e05f3e016bdcb1ad25af35ade5b5f41ccd68

https://git.kernel.org/stable/c/cec2bbdcc14fbaa6b95ee15a7c423b05d97038be