Message-ID: <2024102148-CVE-2022-48988-188f@gregkh>
Date: Mon, 21 Oct 2024 22:06:20 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-48988: memcg: fix possible use-after-free in memcg_write_event_control()

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

memcg: fix possible use-after-free in memcg_write_event_control()

memcg_write_event_control() accesses the dentry->d_name of the specified
control fd to route the write call.  As a cgroup interface file can't be
renamed, it's safe to access d_name as long as the specified file is a
regular cgroup file.  Also, as these cgroup interface files can't be
removed before the directory, it's safe to access the parent too.

Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a
call to __file_cft() which verified that the specified file is a regular
cgroupfs file before further accesses.  The cftype pointer returned from
__file_cft() was no longer necessary and the commit inadvertently dropped
the file type check with it allowing any file to slip through.  With the
invarients broken, the d_name and parent accesses can now race against
renames and removals of arbitrary files and cause use-after-free's.

Fix the bug by resurrecting the file type check in __file_cft().  Now that
cgroupfs is implemented through kernfs, checking the file operations needs
to go through a layer of indirection.  Instead, let's check the superblock
and dentry type.

The Linux kernel CVE team has assigned CVE-2022-48988 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 3.14 with commit 347c4a874710 and fixed in 4.14.302 with commit b77600e26fd4
	Issue introduced in 3.14 with commit 347c4a874710 and fixed in 4.19.269 with commit e1ae97624ecf
	Issue introduced in 3.14 with commit 347c4a874710 and fixed in 5.4.227 with commit 35963b318219
	Issue introduced in 3.14 with commit 347c4a874710 and fixed in 5.10.159 with commit f1f7f36cf682
	Issue introduced in 3.14 with commit 347c4a874710 and fixed in 5.15.83 with commit aad8bbd17a1d
	Issue introduced in 3.14 with commit 347c4a874710 and fixed in 6.0.13 with commit 0ed074317b83
	Issue introduced in 3.14 with commit 347c4a874710 and fixed in 6.1 with commit 4a7ba45b1a43

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48988
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	include/linux/cgroup.h
	kernel/cgroup/cgroup-internal.h
	mm/memcontrol.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/b77600e26fd48727a95ffd50ba1e937efb548125
	https://git.kernel.org/stable/c/e1ae97624ecf400ea56c238bff23e5cd139df0b8
	https://git.kernel.org/stable/c/35963b31821920908e397146502066f6b032c917
	https://git.kernel.org/stable/c/f1f7f36cf682fa59db15e2089039a2eeb58ff2ad
	https://git.kernel.org/stable/c/aad8bbd17a1d586005feb9226c2e9cfce1432e13
	https://git.kernel.org/stable/c/0ed074317b835caa6c03bcfa8f133365324673dc
	https://git.kernel.org/stable/c/4a7ba45b1a435e7097ca0f79a847d0949d0eb088

Powered by blists - more mailing lists