cve/published/2022/CVE-2022-49443.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49443: list: fix a data-race around ep->rdllist

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 list: fix a data-race around ep->rdllist

 ep_poll() first calls ep_events_available() with no lock held and checks
 if ep->rdllist is empty by list_empty_careful(), which reads
 rdllist->prev.  Thus all accesses to it need some protection to avoid
 store/load-tearing.

 Note INIT_LIST_HEAD_RCU() already has the annotation for both prev
 and next.

 Commit bf3b9f6372c4 ("epoll: Add busy poll support to epoll with socket
 fds.") added the first lockless ep_events_available(), and commit
 c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()")
 made some ep_events_available() calls lockless and added single call under
 a lock, finally commit e59d3c64cba6 ("epoll: eliminate unnecessary lock
 for zero timeout") made the last ep_events_available() lockless.

 BUG: KCSAN: data-race in do_epoll_wait / do_epoll_wait

 write to 0xffff88810480c7d8 of 8 bytes by task 1802 on cpu 0:
  INIT_LIST_HEAD include/linux/list.h:38 [inline]
  list_splice_init include/linux/list.h:492 [inline]
  ep_start_scan fs/eventpoll.c:622 [inline]
  ep_send_events fs/eventpoll.c:1656 [inline]
  ep_poll fs/eventpoll.c:1806 [inline]
  do_epoll_wait+0x4eb/0xf40 fs/eventpoll.c:2234
  do_epoll_pwait fs/eventpoll.c:2268 [inline]
  __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]
  __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275
  __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 read to 0xffff88810480c7d8 of 8 bytes by task 1799 on cpu 1:
  list_empty_careful include/linux/list.h:329 [inline]
  ep_events_available fs/eventpoll.c:381 [inline]
  ep_poll fs/eventpoll.c:1797 [inline]
  do_epoll_wait+0x279/0xf40 fs/eventpoll.c:2234
  do_epoll_pwait fs/eventpoll.c:2268 [inline]
  __do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]
  __se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275
  __x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 value changed: 0xffff88810480c7d0 -> 0xffff888103c15098

 Reported by Kernel Concurrency Sanitizer on:
 CPU: 1 PID: 1799 Comm: syz-fuzzer Tainted: G        W         5.17.0-rc7-syzkaller-dirty #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

 The Linux kernel CVE team has assigned CVE-2022-49443 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.12 with commit bf3b9f6372c45b0fbf24d86b8794910d20170017 and fixed in 5.15.46 with commit 5d5d993f16be15d124be7b8ec71b28ef7b7dc3af
 	Issue introduced in 4.12 with commit bf3b9f6372c45b0fbf24d86b8794910d20170017 and fixed in 5.17.14 with commit cb3e48f7a35033deb9455abe3932e63cb500b9eb
 	Issue introduced in 4.12 with commit bf3b9f6372c45b0fbf24d86b8794910d20170017 and fixed in 5.18.3 with commit e039c0b5985999b150594126225e1ee51df7b4c9
 	Issue introduced in 4.12 with commit bf3b9f6372c45b0fbf24d86b8794910d20170017 and fixed in 5.19 with commit d679ae94fdd5d3ab00c35078f5af5f37e068b03d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49443
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/linux/list.h


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5d5d993f16be15d124be7b8ec71b28ef7b7dc3af
 	https://git.kernel.org/stable/c/cb3e48f7a35033deb9455abe3932e63cb500b9eb
 	https://git.kernel.org/stable/c/e039c0b5985999b150594126225e1ee51df7b4c9
 	https://git.kernel.org/stable/c/d679ae94fdd5d3ab00c35078f5af5f37e068b03d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49443: list: fix a data-race around ep->rdllist

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	list: fix a data-race around ep->rdllist

	ep_poll() first calls ep_events_available() with no lock held and checks
	if ep->rdllist is empty by list_empty_careful(), which reads
	rdllist->prev. Thus all accesses to it need some protection to avoid
	store/load-tearing.

	Note INIT_LIST_HEAD_RCU() already has the annotation for both prev
	and next.

	Commit bf3b9f6372c4 ("epoll: Add busy poll support to epoll with socket
	fds.") added the first lockless ep_events_available(), and commit
	c5a282e9635e ("fs/epoll: reduce the scope of wq lock in epoll_wait()")
	made some ep_events_available() calls lockless and added single call under
	a lock, finally commit e59d3c64cba6 ("epoll: eliminate unnecessary lock
	for zero timeout") made the last ep_events_available() lockless.

	BUG: KCSAN: data-race in do_epoll_wait / do_epoll_wait

	write to 0xffff88810480c7d8 of 8 bytes by task 1802 on cpu 0:
	INIT_LIST_HEAD include/linux/list.h:38 [inline]
	list_splice_init include/linux/list.h:492 [inline]
	ep_start_scan fs/eventpoll.c:622 [inline]
	ep_send_events fs/eventpoll.c:1656 [inline]
	ep_poll fs/eventpoll.c:1806 [inline]
	do_epoll_wait+0x4eb/0xf40 fs/eventpoll.c:2234
	do_epoll_pwait fs/eventpoll.c:2268 [inline]
	__do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]
	__se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275
	__x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275
	do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	read to 0xffff88810480c7d8 of 8 bytes by task 1799 on cpu 1:
	list_empty_careful include/linux/list.h:329 [inline]
	ep_events_available fs/eventpoll.c:381 [inline]
	ep_poll fs/eventpoll.c:1797 [inline]
	do_epoll_wait+0x279/0xf40 fs/eventpoll.c:2234
	do_epoll_pwait fs/eventpoll.c:2268 [inline]
	__do_sys_epoll_pwait fs/eventpoll.c:2281 [inline]
	__se_sys_epoll_pwait+0x12b/0x240 fs/eventpoll.c:2275
	__x64_sys_epoll_pwait+0x74/0x80 fs/eventpoll.c:2275
	do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	value changed: 0xffff88810480c7d0 -> 0xffff888103c15098

	Reported by Kernel Concurrency Sanitizer on:
	CPU: 1 PID: 1799 Comm: syz-fuzzer Tainted: G W 5.17.0-rc7-syzkaller-dirty #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

	The Linux kernel CVE team has assigned CVE-2022-49443 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.12 with commit bf3b9f6372c45b0fbf24d86b8794910d20170017 and fixed in 5.15.46 with commit 5d5d993f16be15d124be7b8ec71b28ef7b7dc3af
	Issue introduced in 4.12 with commit bf3b9f6372c45b0fbf24d86b8794910d20170017 and fixed in 5.17.14 with commit cb3e48f7a35033deb9455abe3932e63cb500b9eb
	Issue introduced in 4.12 with commit bf3b9f6372c45b0fbf24d86b8794910d20170017 and fixed in 5.18.3 with commit e039c0b5985999b150594126225e1ee51df7b4c9
	Issue introduced in 4.12 with commit bf3b9f6372c45b0fbf24d86b8794910d20170017 and fixed in 5.19 with commit d679ae94fdd5d3ab00c35078f5af5f37e068b03d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49443
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/linux/list.h


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5d5d993f16be15d124be7b8ec71b28ef7b7dc3af
	https://git.kernel.org/stable/c/cb3e48f7a35033deb9455abe3932e63cb500b9eb
	https://git.kernel.org/stable/c/e039c0b5985999b150594126225e1ee51df7b4c9
	https://git.kernel.org/stable/c/d679ae94fdd5d3ab00c35078f5af5f37e068b03d