cve/published/2022/CVE-2022-48988.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48988: memcg: fix possible use-after-free in memcg_write_event_control()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 memcg: fix possible use-after-free in memcg_write_event_control()

 memcg_write_event_control() accesses the dentry->d_name of the specified
 control fd to route the write call.  As a cgroup interface file can't be
 renamed, it's safe to access d_name as long as the specified file is a
 regular cgroup file.  Also, as these cgroup interface files can't be
 removed before the directory, it's safe to access the parent too.

 Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a
 call to __file_cft() which verified that the specified file is a regular
 cgroupfs file before further accesses.  The cftype pointer returned from
 __file_cft() was no longer necessary and the commit inadvertently dropped
 the file type check with it allowing any file to slip through.  With the
 invarients broken, the d_name and parent accesses can now race against
 renames and removals of arbitrary files and cause use-after-free's.

 Fix the bug by resurrecting the file type check in __file_cft().  Now that
 cgroupfs is implemented through kernfs, checking the file operations needs
 to go through a layer of indirection.  Instead, let's check the superblock
 and dentry type.

 The Linux kernel CVE team has assigned CVE-2022-48988 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 4.14.302 with commit b77600e26fd48727a95ffd50ba1e937efb548125
 	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 4.19.269 with commit e1ae97624ecf400ea56c238bff23e5cd139df0b8
 	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 5.4.227 with commit 35963b31821920908e397146502066f6b032c917
 	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 5.10.159 with commit f1f7f36cf682fa59db15e2089039a2eeb58ff2ad
 	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 5.15.83 with commit aad8bbd17a1d586005feb9226c2e9cfce1432e13
 	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 6.0.13 with commit 0ed074317b835caa6c03bcfa8f133365324673dc
 	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 6.1 with commit 4a7ba45b1a435e7097ca0f79a847d0949d0eb088

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48988
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/linux/cgroup.h
 	kernel/cgroup/cgroup-internal.h
 	mm/memcontrol.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b77600e26fd48727a95ffd50ba1e937efb548125
 	https://git.kernel.org/stable/c/e1ae97624ecf400ea56c238bff23e5cd139df0b8
 	https://git.kernel.org/stable/c/35963b31821920908e397146502066f6b032c917
 	https://git.kernel.org/stable/c/f1f7f36cf682fa59db15e2089039a2eeb58ff2ad
 	https://git.kernel.org/stable/c/aad8bbd17a1d586005feb9226c2e9cfce1432e13
 	https://git.kernel.org/stable/c/0ed074317b835caa6c03bcfa8f133365324673dc
 	https://git.kernel.org/stable/c/4a7ba45b1a435e7097ca0f79a847d0949d0eb088
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48988: memcg: fix possible use-after-free in memcg_write_event_control()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	memcg: fix possible use-after-free in memcg_write_event_control()

	memcg_write_event_control() accesses the dentry->d_name of the specified
	control fd to route the write call. As a cgroup interface file can't be
	renamed, it's safe to access d_name as long as the specified file is a
	regular cgroup file. Also, as these cgroup interface files can't be
	removed before the directory, it's safe to access the parent too.

	Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a
	call to __file_cft() which verified that the specified file is a regular
	cgroupfs file before further accesses. The cftype pointer returned from
	__file_cft() was no longer necessary and the commit inadvertently dropped
	the file type check with it allowing any file to slip through. With the
	invarients broken, the d_name and parent accesses can now race against
	renames and removals of arbitrary files and cause use-after-free's.

	Fix the bug by resurrecting the file type check in __file_cft(). Now that
	cgroupfs is implemented through kernfs, checking the file operations needs
	to go through a layer of indirection. Instead, let's check the superblock
	and dentry type.

	The Linux kernel CVE team has assigned CVE-2022-48988 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 4.14.302 with commit b77600e26fd48727a95ffd50ba1e937efb548125
	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 4.19.269 with commit e1ae97624ecf400ea56c238bff23e5cd139df0b8
	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 5.4.227 with commit 35963b31821920908e397146502066f6b032c917
	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 5.10.159 with commit f1f7f36cf682fa59db15e2089039a2eeb58ff2ad
	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 5.15.83 with commit aad8bbd17a1d586005feb9226c2e9cfce1432e13
	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 6.0.13 with commit 0ed074317b835caa6c03bcfa8f133365324673dc
	Issue introduced in 3.14 with commit 347c4a8747104a945ecced358944e42879176ca5 and fixed in 6.1 with commit 4a7ba45b1a435e7097ca0f79a847d0949d0eb088

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48988
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/linux/cgroup.h
	kernel/cgroup/cgroup-internal.h
	mm/memcontrol.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b77600e26fd48727a95ffd50ba1e937efb548125
	https://git.kernel.org/stable/c/e1ae97624ecf400ea56c238bff23e5cd139df0b8
	https://git.kernel.org/stable/c/35963b31821920908e397146502066f6b032c917
	https://git.kernel.org/stable/c/f1f7f36cf682fa59db15e2089039a2eeb58ff2ad
	https://git.kernel.org/stable/c/aad8bbd17a1d586005feb9226c2e9cfce1432e13
	https://git.kernel.org/stable/c/0ed074317b835caa6c03bcfa8f133365324673dc
	https://git.kernel.org/stable/c/4a7ba45b1a435e7097ca0f79a847d0949d0eb088