Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2022 / CVE-2022-49087.mbox
blob: 2f38d08442230b523bedbb73a54535645622179e [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2022-49087: rxrpc: fix a race in rxrpc_exit_net()
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: fix a race in rxrpc_exit_net()
Current code can lead to the following race:
CPU0 CPU1
rxrpc_exit_net()
rxrpc_peer_keepalive_worker()
if (rxnet->live)
rxnet->live = false;
del_timer_sync(&rxnet->peer_keepalive_timer);
timer_reduce(&rxnet->peer_keepalive_timer, jiffies + delay);
cancel_work_sync(&rxnet->peer_keepalive_work);
rxrpc_exit_net() exits while peer_keepalive_timer is still armed,
leading to use-after-free.
syzbot report was:
ODEBUG: free active (active state 0) object type: timer_list hint: rxrpc_peer_keepalive_timeout+0x0/0xb0
WARNING: CPU: 0 PID: 3660 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505
Modules linked in:
CPU: 0 PID: 3660 Comm: kworker/u4:6 Not tainted 5.17.0-syzkaller-13993-g88e6c0207623 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505
Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 00 1c 26 8a 4c 89 ee 48 c7 c7 00 10 26 8a e8 b1 e7 28 05 <0f> 0b 83 05 15 eb c5 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3
RSP: 0018:ffffc9000353fb00 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffff888029196140 RSI: ffffffff815efad8 RDI: fffff520006a7f52
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815ea4ae R11: 0000000000000000 R12: ffffffff89ce23e0
R13: ffffffff8a2614e0 R14: ffffffff816628c0 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe1f2908924 CR3: 0000000043720000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__debug_check_no_obj_freed lib/debugobjects.c:992 [inline]
debug_check_no_obj_freed+0x301/0x420 lib/debugobjects.c:1023
kfree+0xd6/0x310 mm/slab.c:3809
ops_free_list.part.0+0x119/0x370 net/core/net_namespace.c:176
ops_free_list net/core/net_namespace.c:174 [inline]
cleanup_net+0x591/0xb00 net/core/net_namespace.c:598
process_one_work+0x996/0x1610 kernel/workqueue.c:2289
worker_thread+0x665/0x1080 kernel/workqueue.c:2436
kthread+0x2e9/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
The Linux kernel CVE team has assigned CVE-2022-49087 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.17 with commit ace45bec6d77bc061c3c3d8ad99e298ea9800c2b and fixed in 4.19.238 with commit 864297ee30727ae6233f80296b7fc91442620b05
Issue introduced in 4.17 with commit ace45bec6d77bc061c3c3d8ad99e298ea9800c2b and fixed in 5.4.189 with commit 7ee84d29f22de6f6c63fad6c54690517659862f1
Issue introduced in 4.17 with commit ace45bec6d77bc061c3c3d8ad99e298ea9800c2b and fixed in 5.10.111 with commit 08ff0e74fab517dbc44e11b8bc683dd4ecc65950
Issue introduced in 4.17 with commit ace45bec6d77bc061c3c3d8ad99e298ea9800c2b and fixed in 5.15.34 with commit 571d8e1d154ca18f08dcb72b69318d36e10010a0
Issue introduced in 4.17 with commit ace45bec6d77bc061c3c3d8ad99e298ea9800c2b and fixed in 5.16.20 with commit 41024a40f6c793abbb916a857f18fb009f07464c
Issue introduced in 4.17 with commit ace45bec6d77bc061c3c3d8ad99e298ea9800c2b and fixed in 5.17.3 with commit cd8aef1f30d1215648e4e6686cfb422004851429
Issue introduced in 4.17 with commit ace45bec6d77bc061c3c3d8ad99e298ea9800c2b and fixed in 5.18 with commit 1946014ca3b19be9e485e780e862c375c6f98bad
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-49087
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/rxrpc/net_ns.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/864297ee30727ae6233f80296b7fc91442620b05
https://git.kernel.org/stable/c/7ee84d29f22de6f6c63fad6c54690517659862f1
https://git.kernel.org/stable/c/08ff0e74fab517dbc44e11b8bc683dd4ecc65950
https://git.kernel.org/stable/c/571d8e1d154ca18f08dcb72b69318d36e10010a0
https://git.kernel.org/stable/c/41024a40f6c793abbb916a857f18fb009f07464c
https://git.kernel.org/stable/c/cd8aef1f30d1215648e4e6686cfb422004851429
https://git.kernel.org/stable/c/1946014ca3b19be9e485e780e862c375c6f98bad