cve/published/2022/CVE-2022-49149.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49149: rxrpc: Fix call timer start racing with call destruction

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 rxrpc: Fix call timer start racing with call destruction

 The rxrpc_call struct has a timer used to handle various timed events
 relating to a call.  This timer can get started from the packet input
 routines that are run in softirq mode with just the RCU read lock held.
 Unfortunately, because only the RCU read lock is held - and neither ref or
 other lock is taken - the call can start getting destroyed at the same time
 a packet comes in addressed to that call.  This causes the timer - which
 was already stopped - to get restarted.  Later, the timer dispatch code may
 then oops if the timer got deallocated first.

 Fix this by trying to take a ref on the rxrpc_call struct and, if
 successful, passing that ref along to the timer.  If the timer was already
 running, the ref is discarded.

 The timer completion routine can then pass the ref along to the call's work
 item when it queues it.  If the timer or work item where already
 queued/running, the extra ref is discarded.

 The Linux kernel CVE team has assigned CVE-2022-49149 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.15 with commit a158bdd3247b9656df36ba133235fff702e9fdc3 and fixed in 5.10.110 with commit 051360e51341cd17738d82c15a8226010c7cb7f6
 	Issue introduced in 4.15 with commit a158bdd3247b9656df36ba133235fff702e9fdc3 and fixed in 5.15.33 with commit 8cbf4ae7a2833767d63114573e5f9a45740cc975
 	Issue introduced in 4.15 with commit a158bdd3247b9656df36ba133235fff702e9fdc3 and fixed in 5.16.19 with commit 54df5a37f1d951ed27fd47bf9b15a42279582110
 	Issue introduced in 4.15 with commit a158bdd3247b9656df36ba133235fff702e9fdc3 and fixed in 5.17.2 with commit 5e3c11144e557a9dbf9a2f6abe444689ef9d8aae
 	Issue introduced in 4.15 with commit a158bdd3247b9656df36ba133235fff702e9fdc3 and fixed in 5.18 with commit 4a7f62f91933c8ae5308f9127fd8ea48188b6bc3

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49149
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/trace/events/rxrpc.h
 	net/rxrpc/ar-internal.h
 	net/rxrpc/call_event.c
 	net/rxrpc/call_object.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/051360e51341cd17738d82c15a8226010c7cb7f6
 	https://git.kernel.org/stable/c/8cbf4ae7a2833767d63114573e5f9a45740cc975
 	https://git.kernel.org/stable/c/54df5a37f1d951ed27fd47bf9b15a42279582110
 	https://git.kernel.org/stable/c/5e3c11144e557a9dbf9a2f6abe444689ef9d8aae
 	https://git.kernel.org/stable/c/4a7f62f91933c8ae5308f9127fd8ea48188b6bc3
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49149: rxrpc: Fix call timer start racing with call destruction

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	rxrpc: Fix call timer start racing with call destruction

	The rxrpc_call struct has a timer used to handle various timed events
	relating to a call. This timer can get started from the packet input
	routines that are run in softirq mode with just the RCU read lock held.
	Unfortunately, because only the RCU read lock is held - and neither ref or
	other lock is taken - the call can start getting destroyed at the same time
	a packet comes in addressed to that call. This causes the timer - which
	was already stopped - to get restarted. Later, the timer dispatch code may
	then oops if the timer got deallocated first.

	Fix this by trying to take a ref on the rxrpc_call struct and, if
	successful, passing that ref along to the timer. If the timer was already
	running, the ref is discarded.

	The timer completion routine can then pass the ref along to the call's work
	item when it queues it. If the timer or work item where already
	queued/running, the extra ref is discarded.

	The Linux kernel CVE team has assigned CVE-2022-49149 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.15 with commit a158bdd3247b9656df36ba133235fff702e9fdc3 and fixed in 5.10.110 with commit 051360e51341cd17738d82c15a8226010c7cb7f6
	Issue introduced in 4.15 with commit a158bdd3247b9656df36ba133235fff702e9fdc3 and fixed in 5.15.33 with commit 8cbf4ae7a2833767d63114573e5f9a45740cc975
	Issue introduced in 4.15 with commit a158bdd3247b9656df36ba133235fff702e9fdc3 and fixed in 5.16.19 with commit 54df5a37f1d951ed27fd47bf9b15a42279582110
	Issue introduced in 4.15 with commit a158bdd3247b9656df36ba133235fff702e9fdc3 and fixed in 5.17.2 with commit 5e3c11144e557a9dbf9a2f6abe444689ef9d8aae
	Issue introduced in 4.15 with commit a158bdd3247b9656df36ba133235fff702e9fdc3 and fixed in 5.18 with commit 4a7f62f91933c8ae5308f9127fd8ea48188b6bc3

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49149
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/trace/events/rxrpc.h
	net/rxrpc/ar-internal.h
	net/rxrpc/call_event.c
	net/rxrpc/call_object.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/051360e51341cd17738d82c15a8226010c7cb7f6
	https://git.kernel.org/stable/c/8cbf4ae7a2833767d63114573e5f9a45740cc975
	https://git.kernel.org/stable/c/54df5a37f1d951ed27fd47bf9b15a42279582110
	https://git.kernel.org/stable/c/5e3c11144e557a9dbf9a2f6abe444689ef9d8aae
	https://git.kernel.org/stable/c/4a7f62f91933c8ae5308f9127fd8ea48188b6bc3