7
CVE-2022-48988
- EPSS 0.24%
- Veröffentlicht 21.10.2024 20:15:10
- Zuletzt bearbeitet 01.11.2024 15:20:42
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
memcg: fix possible use-after-free in memcg_write_event_control()
In the Linux kernel, the following vulnerability has been resolved:
memcg: fix possible use-after-free in memcg_write_event_control()
memcg_write_event_control() accesses the dentry->d_name of the specified
control fd to route the write call. As a cgroup interface file can't be
renamed, it's safe to access d_name as long as the specified file is a
regular cgroup file. Also, as these cgroup interface files can't be
removed before the directory, it's safe to access the parent too.
Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a
call to __file_cft() which verified that the specified file is a regular
cgroupfs file before further accesses. The cftype pointer returned from
__file_cft() was no longer necessary and the commit inadvertently dropped
the file type check with it allowing any file to slip through. With the
invarients broken, the d_name and parent accesses can now race against
renames and removals of arbitrary files and cause use-after-free's.
Fix the bug by resurrecting the file type check in __file_cft(). Now that
cgroupfs is implemented through kernfs, checking the file operations needs
to go through a layer of indirection. Instead, let's check the superblock
and dentry type.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 3.14 < 4.14.302
Linux ≫ Linux Kernel Version >= 4.15 < 4.19.269
Linux ≫ Linux Kernel Version >= 4.20 < 5.4.227
Linux ≫ Linux Kernel Version >= 5.5 < 5.10.159
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.83
Linux ≫ Linux Kernel Version >= 5.16 < 6.0.13
Linux ≫ Linux Kernel Version6.1 Updaterc1
Linux ≫ Linux Kernel Version6.1 Updaterc2
Linux ≫ Linux Kernel Version6.1 Updaterc3
Linux ≫ Linux Kernel Version6.1 Updaterc4
Linux ≫ Linux Kernel Version6.1 Updaterc5
Linux ≫ Linux Kernel Version6.1 Updaterc6
Linux ≫ Linux Kernel Version6.1 Updaterc7
Linux ≫ Linux Kernel Version6.1 Updaterc8
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.15 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7 | 1 | 5.9 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/0ed074317b835caa6c03bcfa8f133365324673dc
https://git.kernel.org/stable/c/35963b31821920908e397146502066f6b032c917
https://git.kernel.org/stable/c/4a7ba45b1a435e7097ca0f79a847d0949d0eb088
https://git.kernel.org/stable/c/aad8bbd17a1d586005feb9226c2e9cfce1432e13
https://git.kernel.org/stable/c/b77600e26fd48727a95ffd50ba1e937efb548125
https://git.kernel.org/stable/c/e1ae97624ecf400ea56c238bff23e5cd139df0b8
https://git.kernel.org/stable/c/f1f7f36cf682fa59db15e2089039a2eeb58ff2ad