CVE-2022-48988

EPSS 0.06%
Published 21.10.2024 20:15:10
Last modified 01.11.2024 15:20:42
Source 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Open
Login

In the Linux kernel, the following vulnerability has been resolved:

memcg: fix possible use-after-free in memcg_write_event_control()

memcg_write_event_control() accesses the dentry->d_name of the specified
control fd to route the write call.  As a cgroup interface file can't be
renamed, it's safe to access d_name as long as the specified file is a
regular cgroup file.  Also, as these cgroup interface files can't be
removed before the directory, it's safe to access the parent too.

Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a
call to __file_cft() which verified that the specified file is a regular
cgroupfs file before further accesses.  The cftype pointer returned from
__file_cft() was no longer necessary and the commit inadvertently dropped
the file type check with it allowing any file to slip through.  With the
invarients broken, the d_name and parent accesses can now race against
renames and removals of arbitrary files and cause use-after-free's.

Fix the bug by resurrecting the file type check in __file_cft().  Now that
cgroupfs is implemented through kernfs, checking the file operations needs
to go through a layer of indirection.  Instead, let's check the superblock
and dentry type.

Affected products Warnungen 0 Metrics 2 CWE 1 References 10

Data is provided by the National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 3.14 < 4.14.302

Linux ≫ Linux Kernel Version >= 4.15 < 4.19.269

Linux ≫ Linux Kernel Version >= 4.20 < 5.4.227

Linux ≫ Linux Kernel Version >= 5.5 < 5.10.159

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.83

Linux ≫ Linux Kernel Version >= 5.16 < 6.0.13

Linux ≫ Linux Kernel Version6.1 Updaterc1

Linux ≫ Linux Kernel Version6.1 Updaterc2

Linux ≫ Linux Kernel Version6.1 Updaterc3

Linux ≫ Linux Kernel Version6.1 Updaterc4

Linux ≫ Linux Kernel Version6.1 Updaterc5

Linux ≫ Linux Kernel Version6.1 Updaterc6

Linux ≫ Linux Kernel Version6.1 Updaterc7

Linux ≫ Linux Kernel Version6.1 Updaterc8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.06%	0.175

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7	1	5.9	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/0ed074317b835caa6c03bcfa8f133365324673dc

Patch

https://git.kernel.org/stable/c/35963b31821920908e397146502066f6b032c917

Patch

https://git.kernel.org/stable/c/4a7ba45b1a435e7097ca0f79a847d0949d0eb088

Patch

https://git.kernel.org/stable/c/aad8bbd17a1d586005feb9226c2e9cfce1432e13

Patch

https://git.kernel.org/stable/c/b77600e26fd48727a95ffd50ba1e937efb548125

Patch

https://git.kernel.org/stable/c/e1ae97624ecf400ea56c238bff23e5cd139df0b8

Patch