cve/published/2022/CVE-2022-49696.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49696: tipc: fix use-after-free Read in tipc_named_reinit

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tipc: fix use-after-free Read in tipc_named_reinit

 syzbot found the following issue on:
 ==================================================================
 BUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0
 net/tipc/name_distr.c:413
 Read of size 8 at addr ffff88805299a000 by task kworker/1:9/23764

 CPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted
 5.18.0-rc4-syzkaller-00878-g17d49e6e8012 #0
 Hardware name: Google Compute Engine/Google Compute Engine,
 BIOS Google 01/01/2011
 Workqueue: events tipc_net_finalize_work
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
  print_address_description.constprop.0.cold+0xeb/0x495
 mm/kasan/report.c:313
  print_report mm/kasan/report.c:429 [inline]
  kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
  tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413
  tipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138
  process_one_work+0x996/0x1610 kernel/workqueue.c:2289
  worker_thread+0x665/0x1080 kernel/workqueue.c:2436
  kthread+0x2e9/0x3a0 kernel/kthread.c:376
  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
  </TASK>
 [...]
 ==================================================================

 In the commit
 d966ddcc3821 ("tipc: fix a deadlock when flushing scheduled work"),
 the cancel_work_sync() function just to make sure ONLY the work
 tipc_net_finalize_work() is executing/pending on any CPU completed before
 tipc namespace is destroyed through tipc_exit_net(). But this function
 is not guaranteed the work is the last queued. So, the destroyed instance
 may be accessed in the work which will try to enqueue later.

 In order to completely fix, we re-order the calling of cancel_work_sync()
 to make sure the work tipc_net_finalize_work() was last queued and it
 must be completed by calling cancel_work_sync().

 The Linux kernel CVE team has assigned CVE-2022-49696 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10 with commit d966ddcc38217a6110a6a0ff37ad2dee7d42e23e and fixed in 5.10.127 with commit 361c5521c1e49843b710f455cae3c0a50b714323
 	Issue introduced in 5.10 with commit d966ddcc38217a6110a6a0ff37ad2dee7d42e23e and fixed in 5.15.51 with commit cd7789e659e84f137631dc1f5ec8d794f2700e6c
 	Issue introduced in 5.10 with commit d966ddcc38217a6110a6a0ff37ad2dee7d42e23e and fixed in 5.18.8 with commit 8b246ddd394d7d9640816611693b0096b998e27a
 	Issue introduced in 5.10 with commit d966ddcc38217a6110a6a0ff37ad2dee7d42e23e and fixed in 5.19 with commit 911600bf5a5e84bfda4d33ee32acc75ecf6159f0
 	Issue introduced in 5.4.83 with commit fdc1416c21992ea7b4737123c8aa8c7424a1a540
 	Issue introduced in 5.9.14 with commit 1716c9bd567bc6cdb3d18be78f36941a306b708d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49696
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/tipc/core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/361c5521c1e49843b710f455cae3c0a50b714323
 	https://git.kernel.org/stable/c/cd7789e659e84f137631dc1f5ec8d794f2700e6c
 	https://git.kernel.org/stable/c/8b246ddd394d7d9640816611693b0096b998e27a
 	https://git.kernel.org/stable/c/911600bf5a5e84bfda4d33ee32acc75ecf6159f0
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49696: tipc: fix use-after-free Read in tipc_named_reinit

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tipc: fix use-after-free Read in tipc_named_reinit

	syzbot found the following issue on:
	==================================================================
	BUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0
	net/tipc/name_distr.c:413
	Read of size 8 at addr ffff88805299a000 by task kworker/1:9/23764

	CPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted
	5.18.0-rc4-syzkaller-00878-g17d49e6e8012 #0
	Hardware name: Google Compute Engine/Google Compute Engine,
	BIOS Google 01/01/2011
	Workqueue: events tipc_net_finalize_work
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
	print_address_description.constprop.0.cold+0xeb/0x495
	mm/kasan/report.c:313
	print_report mm/kasan/report.c:429 [inline]
	kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
	tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413
	tipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138
	process_one_work+0x996/0x1610 kernel/workqueue.c:2289
	worker_thread+0x665/0x1080 kernel/workqueue.c:2436
	kthread+0x2e9/0x3a0 kernel/kthread.c:376
	ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
	</TASK>
	[...]
	==================================================================

	In the commit
	d966ddcc3821 ("tipc: fix a deadlock when flushing scheduled work"),
	the cancel_work_sync() function just to make sure ONLY the work
	tipc_net_finalize_work() is executing/pending on any CPU completed before
	tipc namespace is destroyed through tipc_exit_net(). But this function
	is not guaranteed the work is the last queued. So, the destroyed instance
	may be accessed in the work which will try to enqueue later.

	In order to completely fix, we re-order the calling of cancel_work_sync()
	to make sure the work tipc_net_finalize_work() was last queued and it
	must be completed by calling cancel_work_sync().

	The Linux kernel CVE team has assigned CVE-2022-49696 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10 with commit d966ddcc38217a6110a6a0ff37ad2dee7d42e23e and fixed in 5.10.127 with commit 361c5521c1e49843b710f455cae3c0a50b714323
	Issue introduced in 5.10 with commit d966ddcc38217a6110a6a0ff37ad2dee7d42e23e and fixed in 5.15.51 with commit cd7789e659e84f137631dc1f5ec8d794f2700e6c
	Issue introduced in 5.10 with commit d966ddcc38217a6110a6a0ff37ad2dee7d42e23e and fixed in 5.18.8 with commit 8b246ddd394d7d9640816611693b0096b998e27a
	Issue introduced in 5.10 with commit d966ddcc38217a6110a6a0ff37ad2dee7d42e23e and fixed in 5.19 with commit 911600bf5a5e84bfda4d33ee32acc75ecf6159f0
	Issue introduced in 5.4.83 with commit fdc1416c21992ea7b4737123c8aa8c7424a1a540
	Issue introduced in 5.9.14 with commit 1716c9bd567bc6cdb3d18be78f36941a306b708d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49696
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/tipc/core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/361c5521c1e49843b710f455cae3c0a50b714323
	https://git.kernel.org/stable/c/cd7789e659e84f137631dc1f5ec8d794f2700e6c
	https://git.kernel.org/stable/c/8b246ddd394d7d9640816611693b0096b998e27a
	https://git.kernel.org/stable/c/911600bf5a5e84bfda4d33ee32acc75ecf6159f0