cve/published/2022/CVE-2022-49401.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49401: mm/page_owner: use strscpy() instead of strlcpy()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm/page_owner: use strscpy() instead of strlcpy()

 current->comm[] is not a string (no guarantee for a zero byte in it).

 strlcpy(s1, s2, l) is calling strlen(s2), potentially
 causing out-of-bound access, as reported by syzbot:

 detected buffer overflow in __fortify_strlen
 ------------[ cut here ]------------
 kernel BUG at lib/string_helpers.c:980!
 invalid opcode: 0000 [#1] PREEMPT SMP KASAN
 CPU: 0 PID: 4087 Comm: dhcpcd-run-hooks Not tainted 5.18.0-rc3-syzkaller-01537-g20b87e7c29df #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 RIP: 0010:fortify_panic+0x18/0x1a lib/string_helpers.c:980
 Code: 8c e8 c5 ba e1 fa e9 23 0f bf fa e8 0b 5d 8c f8 eb db 55 48 89 fd e8 e0 49 40 f8 48 89 ee 48 c7 c7 80 f5 26 8a e8 99 09 f1 ff <0f> 0b e8 ca 49 40 f8 48 8b 54 24 18 4c 89 f1 48 c7 c7 00 00 27 8a
 RSP: 0018:ffffc900000074a8 EFLAGS: 00010286

 RAX: 000000000000002c RBX: ffff88801226b728 RCX: 0000000000000000
 RDX: ffff8880198e0000 RSI: ffffffff81600458 RDI: fffff52000000e87
 RBP: ffffffff89da2aa0 R08: 000000000000002c R09: 0000000000000000
 R10: ffffffff815fae2e R11: 0000000000000000 R12: ffff88801226b700
 R13: ffff8880198e0830 R14: 0000000000000000 R15: 0000000000000000
 FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f5876ad6ff8 CR3: 000000001a48c000 CR4: 00000000003506f0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
 Call Trace:
  <IRQ>
  __fortify_strlen include/linux/fortify-string.h:128 [inline]
  strlcpy include/linux/fortify-string.h:143 [inline]
  __set_page_owner_handle+0x2b1/0x3e0 mm/page_owner.c:171
  __set_page_owner+0x3e/0x50 mm/page_owner.c:190
  prep_new_page mm/page_alloc.c:2441 [inline]
  get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182
  __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408
  alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
  alloc_slab_page mm/slub.c:1799 [inline]
  allocate_slab+0x26c/0x3c0 mm/slub.c:1944
  new_slab mm/slub.c:2004 [inline]
  ___slab_alloc+0x8df/0xf20 mm/slub.c:3005
  __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092
  slab_alloc_node mm/slub.c:3183 [inline]
  slab_alloc mm/slub.c:3225 [inline]
  __kmem_cache_alloc_lru mm/slub.c:3232 [inline]
  kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242
  dst_alloc+0x146/0x1f0 net/core/dst.c:92

 The Linux kernel CVE team has assigned CVE-2022-49401 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.18 with commit 865ed6a3278654ce4a55eb74c5283eeb82ad4699 and fixed in 5.18.3 with commit 5cd9900a1ac8b0a4ff3cd97d4d77b7711be435bf
 	Issue introduced in 5.18 with commit 865ed6a3278654ce4a55eb74c5283eeb82ad4699 and fixed in 5.19 with commit cd8c1fd8cdd14158f2d8bea2d1bfe8015dccfa3a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49401
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/page_owner.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5cd9900a1ac8b0a4ff3cd97d4d77b7711be435bf
 	https://git.kernel.org/stable/c/cd8c1fd8cdd14158f2d8bea2d1bfe8015dccfa3a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49401: mm/page_owner: use strscpy() instead of strlcpy()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm/page_owner: use strscpy() instead of strlcpy()

	current->comm[] is not a string (no guarantee for a zero byte in it).

	strlcpy(s1, s2, l) is calling strlen(s2), potentially
	causing out-of-bound access, as reported by syzbot:

	detected buffer overflow in __fortify_strlen
	------------[ cut here ]------------
	kernel BUG at lib/string_helpers.c:980!
	invalid opcode: 0000 [#1] PREEMPT SMP KASAN
	CPU: 0 PID: 4087 Comm: dhcpcd-run-hooks Not tainted 5.18.0-rc3-syzkaller-01537-g20b87e7c29df #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	RIP: 0010:fortify_panic+0x18/0x1a lib/string_helpers.c:980
	Code: 8c e8 c5 ba e1 fa e9 23 0f bf fa e8 0b 5d 8c f8 eb db 55 48 89 fd e8 e0 49 40 f8 48 89 ee 48 c7 c7 80 f5 26 8a e8 99 09 f1 ff <0f> 0b e8 ca 49 40 f8 48 8b 54 24 18 4c 89 f1 48 c7 c7 00 00 27 8a
	RSP: 0018:ffffc900000074a8 EFLAGS: 00010286

	RAX: 000000000000002c RBX: ffff88801226b728 RCX: 0000000000000000
	RDX: ffff8880198e0000 RSI: ffffffff81600458 RDI: fffff52000000e87
	RBP: ffffffff89da2aa0 R08: 000000000000002c R09: 0000000000000000
	R10: ffffffff815fae2e R11: 0000000000000000 R12: ffff88801226b700
	R13: ffff8880198e0830 R14: 0000000000000000 R15: 0000000000000000
	FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
	CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	CR2: 00007f5876ad6ff8 CR3: 000000001a48c000 CR4: 00000000003506f0
	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
	Call Trace:
	<IRQ>
	__fortify_strlen include/linux/fortify-string.h:128 [inline]
	strlcpy include/linux/fortify-string.h:143 [inline]
	__set_page_owner_handle+0x2b1/0x3e0 mm/page_owner.c:171
	__set_page_owner+0x3e/0x50 mm/page_owner.c:190
	prep_new_page mm/page_alloc.c:2441 [inline]
	get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4182
	__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5408
	alloc_pages+0x1aa/0x310 mm/mempolicy.c:2272
	alloc_slab_page mm/slub.c:1799 [inline]
	allocate_slab+0x26c/0x3c0 mm/slub.c:1944
	new_slab mm/slub.c:2004 [inline]
	___slab_alloc+0x8df/0xf20 mm/slub.c:3005
	__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3092
	slab_alloc_node mm/slub.c:3183 [inline]
	slab_alloc mm/slub.c:3225 [inline]
	__kmem_cache_alloc_lru mm/slub.c:3232 [inline]
	kmem_cache_alloc+0x360/0x3b0 mm/slub.c:3242
	dst_alloc+0x146/0x1f0 net/core/dst.c:92

	The Linux kernel CVE team has assigned CVE-2022-49401 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.18 with commit 865ed6a3278654ce4a55eb74c5283eeb82ad4699 and fixed in 5.18.3 with commit 5cd9900a1ac8b0a4ff3cd97d4d77b7711be435bf
	Issue introduced in 5.18 with commit 865ed6a3278654ce4a55eb74c5283eeb82ad4699 and fixed in 5.19 with commit cd8c1fd8cdd14158f2d8bea2d1bfe8015dccfa3a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49401
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/page_owner.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5cd9900a1ac8b0a4ff3cd97d4d77b7711be435bf
	https://git.kernel.org/stable/c/cd8c1fd8cdd14158f2d8bea2d1bfe8015dccfa3a