CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
In the Linux kernel, the following vulnerability has been resolved:
sched/core: Fix use-after-free bug in dup_user_cpus_ptr()
Since commit 07ec77a1d4e8 (“sched: Allow task CPU affinity to be
restricted on asymmetric systems”), the setting and clearing of
user_cpus_ptr are done under pi_lock for arm64 architecture. However,
dup_user_cpus_ptr() accesses user_cpus_ptr without any lock
protection. Since sched_setaffinity() can be invoked from another
process, the process being modified may be undergoing fork() at
the same time. When racing with the clearing of user_cpus_ptr in
__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and
possibly double-free in arm64 kernel.
Commit 8f9ea86fdf99 (“sched: Always preserve the user requested
cpumask”) fixes this problem as user_cpus_ptr, once set, will never
be cleared in a task’s lifetime. However, this bug was re-introduced
in commit 851a723e45d1 (“sched: Always clear user_cpus_ptr in
do_set_cpus_allowed()”) which allows the clearing of user_cpus_ptr in
do_set_cpus_allowed(). This time, it will affect all arches.
Fix this bug by always clearing the user_cpus_ptr of the newly
cloned/forked task before the copying process starts and check the
user_cpus_ptr state of the source task under pi_lock.
Note to stable, this patch won’t be applicable to stable releases.
Just copy the new dup_user_cpus_ptr() function over.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | linux | < 5.15.0-70.77 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1034.38 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1034.38~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < 5.15.0-1036.43 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-5.15 | < 5.15.0-1036.43~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-fde | < 5.15.0-1036.43.1 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-fde-5.15 | < 5.15.0-1036.43~20.04.1.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gcp | < 5.15.0-1032.40 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-gcp-5.15 | < 5.15.0-1032.40~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gke | < 5.15.0-1031.36 | UNKNOWN |
git.kernel.org/linus/87ca4f9efbd7cc649ff43b87970888f2812945b8 (6.2-rc4)
git.kernel.org/stable/c/7b5cc7fd1789ea5dbb942c9f8207b076d365badc
git.kernel.org/stable/c/87ca4f9efbd7cc649ff43b87970888f2812945b8
git.kernel.org/stable/c/b22faa21b6230d5eccd233e1b7e0026a5002b287
launchpad.net/bugs/cve/CVE-2022-48892
nvd.nist.gov/vuln/detail/CVE-2022-48892
security-tracker.debian.org/tracker/CVE-2022-48892
www.cve.org/CVERecord?id=CVE-2022-48892