cve/published/2022/CVE-2022-49567.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49567: mm/mempolicy: fix uninit-value in mpol_rebind_policy()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mm/mempolicy: fix uninit-value in mpol_rebind_policy()

 mpol_set_nodemask()(mm/mempolicy.c) does not set up nodemask when
 pol->mode is MPOL_LOCAL.  Check pol->mode before access
 pol->w.cpuset_mems_allowed in mpol_rebind_policy()(mm/mempolicy.c).

 BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:352 [inline]
 BUG: KMSAN: uninit-value in mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368
  mpol_rebind_policy mm/mempolicy.c:352 [inline]
  mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368
  cpuset_change_task_nodemask kernel/cgroup/cpuset.c:1711 [inline]
  cpuset_attach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278
  cgroup_migrate_execute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515
  cgroup_migrate kernel/cgroup/cgroup.c:2771 [inline]
  cgroup_attach_task+0x540/0x8b0 kernel/cgroup/cgroup.c:2804
  __cgroup1_procs_write+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520
  cgroup1_tasks_write+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539
  cgroup_file_write+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852
  kernfs_fop_write_iter+0x66a/0x9f0 fs/kernfs/file.c:296
  call_write_iter include/linux/fs.h:2162 [inline]
  new_sync_write fs/read_write.c:503 [inline]
  vfs_write+0x1318/0x2030 fs/read_write.c:590
  ksys_write+0x28b/0x510 fs/read_write.c:643
  __do_sys_write fs/read_write.c:655 [inline]
  __se_sys_write fs/read_write.c:652 [inline]
  __x64_sys_write+0xdb/0x120 fs/read_write.c:652
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 Uninit was created at:
  slab_post_alloc_hook mm/slab.h:524 [inline]
  slab_alloc_node mm/slub.c:3251 [inline]
  slab_alloc mm/slub.c:3259 [inline]
  kmem_cache_alloc+0x902/0x11c0 mm/slub.c:3264
  mpol_new mm/mempolicy.c:293 [inline]
  do_set_mempolicy+0x421/0xb70 mm/mempolicy.c:853
  kernel_set_mempolicy mm/mempolicy.c:1504 [inline]
  __do_sys_set_mempolicy mm/mempolicy.c:1510 [inline]
  __se_sys_set_mempolicy+0x44c/0xb60 mm/mempolicy.c:1507
  __x64_sys_set_mempolicy+0xd8/0x110 mm/mempolicy.c:1507
  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
  do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
  entry_SYSCALL_64_after_hwframe+0x44/0xae

 KMSAN: uninit-value in mpol_rebind_task (2)
 https://syzkaller.appspot.com/bug?id=d6eb90f952c2a5de9ea718a1b873c55cb13b59dc

 This patch seems to fix below bug too.
 KMSAN: uninit-value in mpol_rebind_mm (2)
 https://syzkaller.appspot.com/bug?id=f2fecd0d7013f54ec4162f60743a2b28df40926b

 The uninit-value is pol->w.cpuset_mems_allowed in mpol_rebind_policy().
 When syzkaller reproducer runs to the beginning of mpol_new(),

 	    mpol_new() mm/mempolicy.c
 	  do_mbind() mm/mempolicy.c
 	kernel_mbind() mm/mempolicy.c

 `mode` is 1(MPOL_PREFERRED), nodes_empty(*nodes) is `true` and `flags`
 is 0. Then

 	mode = MPOL_LOCAL;
 	...
 	policy->mode = mode;
 	policy->flags = flags;

 will be executed. So in mpol_set_nodemask(),

 	    mpol_set_nodemask() mm/mempolicy.c
 	  do_mbind()
 	kernel_mbind()

 pol->mode is 4 (MPOL_LOCAL), that `nodemask` in `pol` is not initialized,
 which will be accessed in mpol_rebind_policy().

 The Linux kernel CVE team has assigned CVE-2022-49567 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.9.325 with commit 5735845906fb1d90fe597f8b503fc0a857d475e3
 	Fixed in 4.14.290 with commit aaa1c5d635a6fca2043513ffb5be169f9cd17d9e
 	Fixed in 4.19.254 with commit 13d51565cec1aa432a6ab363edc2bbc53c6f49cb
 	Fixed in 5.4.208 with commit a1f8765f68bc9bf5744b365bb9f5e0b6db93edfe
 	Fixed in 5.10.134 with commit ddb3f0b68863bd1c5f43177eea476bce316d4993
 	Fixed in 5.15.58 with commit 8c5429a04ccd8dbcc3c753dab2f4126774ec28d4
 	Fixed in 5.18.15 with commit 777e563f10e91e91130fe06bee85220d508e7b9b
 	Fixed in 5.19 with commit 018160ad314d75b1409129b2247b614a9f35894c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49567
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	mm/mempolicy.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5735845906fb1d90fe597f8b503fc0a857d475e3
 	https://git.kernel.org/stable/c/aaa1c5d635a6fca2043513ffb5be169f9cd17d9e
 	https://git.kernel.org/stable/c/13d51565cec1aa432a6ab363edc2bbc53c6f49cb
 	https://git.kernel.org/stable/c/a1f8765f68bc9bf5744b365bb9f5e0b6db93edfe
 	https://git.kernel.org/stable/c/ddb3f0b68863bd1c5f43177eea476bce316d4993
 	https://git.kernel.org/stable/c/8c5429a04ccd8dbcc3c753dab2f4126774ec28d4
 	https://git.kernel.org/stable/c/777e563f10e91e91130fe06bee85220d508e7b9b
 	https://git.kernel.org/stable/c/018160ad314d75b1409129b2247b614a9f35894c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49567: mm/mempolicy: fix uninit-value in mpol_rebind_policy()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mm/mempolicy: fix uninit-value in mpol_rebind_policy()

	mpol_set_nodemask()(mm/mempolicy.c) does not set up nodemask when
	pol->mode is MPOL_LOCAL. Check pol->mode before access
	pol->w.cpuset_mems_allowed in mpol_rebind_policy()(mm/mempolicy.c).

	BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:352 [inline]
	BUG: KMSAN: uninit-value in mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368
	mpol_rebind_policy mm/mempolicy.c:352 [inline]
	mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368
	cpuset_change_task_nodemask kernel/cgroup/cpuset.c:1711 [inline]
	cpuset_attach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278
	cgroup_migrate_execute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515
	cgroup_migrate kernel/cgroup/cgroup.c:2771 [inline]
	cgroup_attach_task+0x540/0x8b0 kernel/cgroup/cgroup.c:2804
	__cgroup1_procs_write+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520
	cgroup1_tasks_write+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539
	cgroup_file_write+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852
	kernfs_fop_write_iter+0x66a/0x9f0 fs/kernfs/file.c:296
	call_write_iter include/linux/fs.h:2162 [inline]
	new_sync_write fs/read_write.c:503 [inline]
	vfs_write+0x1318/0x2030 fs/read_write.c:590
	ksys_write+0x28b/0x510 fs/read_write.c:643
	__do_sys_write fs/read_write.c:655 [inline]
	__se_sys_write fs/read_write.c:652 [inline]
	__x64_sys_write+0xdb/0x120 fs/read_write.c:652
	do_syscall_x64 arch/x86/entry/common.c:51 [inline]
	do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	Uninit was created at:
	slab_post_alloc_hook mm/slab.h:524 [inline]
	slab_alloc_node mm/slub.c:3251 [inline]
	slab_alloc mm/slub.c:3259 [inline]
	kmem_cache_alloc+0x902/0x11c0 mm/slub.c:3264
	mpol_new mm/mempolicy.c:293 [inline]
	do_set_mempolicy+0x421/0xb70 mm/mempolicy.c:853
	kernel_set_mempolicy mm/mempolicy.c:1504 [inline]
	__do_sys_set_mempolicy mm/mempolicy.c:1510 [inline]
	__se_sys_set_mempolicy+0x44c/0xb60 mm/mempolicy.c:1507
	__x64_sys_set_mempolicy+0xd8/0x110 mm/mempolicy.c:1507
	do_syscall_x64 arch/x86/entry/common.c:51 [inline]
	do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
	entry_SYSCALL_64_after_hwframe+0x44/0xae

	KMSAN: uninit-value in mpol_rebind_task (2)
	https://syzkaller.appspot.com/bug?id=d6eb90f952c2a5de9ea718a1b873c55cb13b59dc

	This patch seems to fix below bug too.
	KMSAN: uninit-value in mpol_rebind_mm (2)
	https://syzkaller.appspot.com/bug?id=f2fecd0d7013f54ec4162f60743a2b28df40926b

	The uninit-value is pol->w.cpuset_mems_allowed in mpol_rebind_policy().
	When syzkaller reproducer runs to the beginning of mpol_new(),

	mpol_new() mm/mempolicy.c
	do_mbind() mm/mempolicy.c
	kernel_mbind() mm/mempolicy.c

	`mode` is 1(MPOL_PREFERRED), nodes_empty(*nodes) is `true` and `flags`
	is 0. Then

	mode = MPOL_LOCAL;
	...
	policy->mode = mode;
	policy->flags = flags;

	will be executed. So in mpol_set_nodemask(),

	mpol_set_nodemask() mm/mempolicy.c
	do_mbind()
	kernel_mbind()

	pol->mode is 4 (MPOL_LOCAL), that `nodemask` in `pol` is not initialized,
	which will be accessed in mpol_rebind_policy().

	The Linux kernel CVE team has assigned CVE-2022-49567 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.9.325 with commit 5735845906fb1d90fe597f8b503fc0a857d475e3
	Fixed in 4.14.290 with commit aaa1c5d635a6fca2043513ffb5be169f9cd17d9e
	Fixed in 4.19.254 with commit 13d51565cec1aa432a6ab363edc2bbc53c6f49cb
	Fixed in 5.4.208 with commit a1f8765f68bc9bf5744b365bb9f5e0b6db93edfe
	Fixed in 5.10.134 with commit ddb3f0b68863bd1c5f43177eea476bce316d4993
	Fixed in 5.15.58 with commit 8c5429a04ccd8dbcc3c753dab2f4126774ec28d4
	Fixed in 5.18.15 with commit 777e563f10e91e91130fe06bee85220d508e7b9b
	Fixed in 5.19 with commit 018160ad314d75b1409129b2247b614a9f35894c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49567
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	mm/mempolicy.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5735845906fb1d90fe597f8b503fc0a857d475e3
	https://git.kernel.org/stable/c/aaa1c5d635a6fca2043513ffb5be169f9cd17d9e
	https://git.kernel.org/stable/c/13d51565cec1aa432a6ab363edc2bbc53c6f49cb
	https://git.kernel.org/stable/c/a1f8765f68bc9bf5744b365bb9f5e0b6db93edfe
	https://git.kernel.org/stable/c/ddb3f0b68863bd1c5f43177eea476bce316d4993
	https://git.kernel.org/stable/c/8c5429a04ccd8dbcc3c753dab2f4126774ec28d4
	https://git.kernel.org/stable/c/777e563f10e91e91130fe06bee85220d508e7b9b
	https://git.kernel.org/stable/c/018160ad314d75b1409129b2247b614a9f35894c