Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2022 / CVE-2022-49148.mbox
blob: 6bc193eb09c59b2295d044642a4028d0a6b71e9a [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2022-49148: watch_queue: Free the page array when watch_queue is dismantled
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
watch_queue: Free the page array when watch_queue is dismantled
Commit 7ea1a0124b6d ("watch_queue: Free the alloc bitmap when the
watch_queue is torn down") took care of the bitmap, but not the page
array.
BUG: memory leak
unreferenced object 0xffff88810d9bc140 (size 32):
comm "syz-executor335", pid 3603, jiffies 4294946994 (age 12.840s)
hex dump (first 32 bytes):
40 a7 40 04 00 ea ff ff 00 00 00 00 00 00 00 00 @.@.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
kmalloc_array include/linux/slab.h:621 [inline]
kcalloc include/linux/slab.h:652 [inline]
watch_queue_set_size+0x12f/0x2e0 kernel/watch_queue.c:251
pipe_ioctl+0x82/0x140 fs/pipe.c:632
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
The Linux kernel CVE team has assigned CVE-2022-49148 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.8 with commit c73be61cede5882f9605a852414db559c0ebedfd and fixed in 5.10.110 with commit 7169f60110915c8b53bffd43741fa020a75eb87a
Issue introduced in 5.8 with commit c73be61cede5882f9605a852414db559c0ebedfd and fixed in 5.15.33 with commit 4913daecd04addb41bc96a9175a885e1c19862a8
Issue introduced in 5.8 with commit c73be61cede5882f9605a852414db559c0ebedfd and fixed in 5.16.19 with commit 3963a5d1ff75585bddf0c3a918566a6be09d7520
Issue introduced in 5.8 with commit c73be61cede5882f9605a852414db559c0ebedfd and fixed in 5.17.2 with commit 375cd2536494cfbcdda84ae8b3e35bf19d0250b9
Issue introduced in 5.8 with commit c73be61cede5882f9605a852414db559c0ebedfd and fixed in 5.18 with commit b490207017ba237d97b735b2aa66dc241ccd18f5
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-49148
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
kernel/watch_queue.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/7169f60110915c8b53bffd43741fa020a75eb87a
https://git.kernel.org/stable/c/4913daecd04addb41bc96a9175a885e1c19862a8
https://git.kernel.org/stable/c/3963a5d1ff75585bddf0c3a918566a6be09d7520
https://git.kernel.org/stable/c/375cd2536494cfbcdda84ae8b3e35bf19d0250b9
https://git.kernel.org/stable/c/b490207017ba237d97b735b2aa66dc241ccd18f5