CVE-2022-48726

BUG: KASAN: use-after-free in ucmacleanupmulticast drivers/infiniband/core/ucma.c:491 [inline] BUG: KASAN: use-after-free in ucmadestroyprivatectx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 Read of size 8 at addr ffff88801bb74b00 by task syz-executor.1/25529 CPU: 0 PID: 25529 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dumpstack.c:106 printaddressdescription.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 _kasanreport mm/kasan/report.c:433 [inline] kasanreport.cold+0x83/0xdf mm/kasan/report.c:450 ucmacleanupmulticast drivers/infiniband/core/ucma.c:491 [inline] ucmadestroyprivatectx+0x914/0xb70 drivers/infiniband/core/ucma.c:579 ucmadestroyid+0x1e6/0x280 drivers/infiniband/core/ucma.c:614 ucmawrite+0x25c/0x350 drivers/infiniband/core/ucma.c:1732 vfswrite+0x28e/0xae0 fs/readwrite.c:588 ksyswrite+0x1ee/0x250 fs/readwrite.c:643 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x44/0xae

Currently the xarray search can touch a concurrently freeing mc as the xaforeach() is not surrounded by any lock. Rather than hold the lock for a full scan hold it only for the effected items, which is usually an empty list.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

95fe51096b7adf1d1e7315c49c75e2f75f162584

Fixed

75c610212b9f1756b9384911d3a2c347eee8031c

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

95fe51096b7adf1d1e7315c49c75e2f75f162584

Fixed

2923948ffe0835f7114e948b35bcc42bc9b3baa1

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

95fe51096b7adf1d1e7315c49c75e2f75f162584

Fixed

ee2477e8ccd3d978eeac0dc5a981b286d9bb7b0a

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

95fe51096b7adf1d1e7315c49c75e2f75f162584

Fixed

36e8169ec973359f671f9ec7213547059cae972e

Affected versions

v5.*

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.10.1

v5.10.10

v5.10.11

v5.10.12

v5.10.13

v5.10.14

v5.10.15

v5.10.16

v5.10.17

v5.10.18

v5.10.19

v5.10.2

v5.10.20

v5.10.21

v5.10.22

v5.10.23

v5.10.24

v5.10.25

v5.10.26

v5.10.27

v5.10.28

v5.10.29

v5.10.3

v5.10.30

v5.10.31

v5.10.32

v5.10.33

v5.10.34

v5.10.35

v5.10.36

v5.10.37

v5.10.38

v5.10.39

v5.10.4

v5.10.40

v5.10.41

v5.10.42

v5.10.43

v5.10.44

v5.10.45

v5.10.46

v5.10.47

v5.10.48

v5.10.49

v5.10.5

v5.10.50

v5.10.51

v5.10.52

v5.10.53

v5.10.54

v5.10.55

v5.10.56

v5.10.57

v5.10.58

v5.10.59

v5.10.6

v5.10.60

v5.10.61

v5.10.62

v5.10.63

v5.10.64

v5.10.65

v5.10.66

v5.10.67

v5.10.68

v5.10.69

v5.10.7

v5.10.70

v5.10.71

v5.10.72

v5.10.73

v5.10.74

v5.10.75

v5.10.76

v5.10.77

v5.10.78

v5.10.79

v5.10.8

v5.10.80

v5.10.81

v5.10.82

v5.10.83

v5.10.84

v5.10.85

v5.10.86

v5.10.87

v5.10.88

v5.10.89

v5.10.9

v5.10.90

v5.10.91

v5.10.92

v5.10.93

v5.10.94

v5.10.95

v5.10.96

v5.10.97

v5.10.98

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.11

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.3

v5.15.4

v5.15.5

v5.15.6

v5.15.7

v5.15.8

v5.15.9

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.16.1

v5.16.2

v5.16.3

v5.16.4

v5.16.5

v5.16.6

v5.16.7

v5.17-rc1

v5.9

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "target": {
            "function": "ucma_alloc_ctx",
            "file": "drivers/infiniband/core/ucma.c"
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
        "digest": {
            "function_hash": "90649344114687098919317332722134091840",
            "length": 430.0
        },
        "id": "CVE-2022-48726-3ab46a25",
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "target": {
            "function": "ucma_leave_multicast",
            "file": "drivers/infiniband/core/ucma.c"
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
        "digest": {
            "function_hash": "279568564441437086113708784552762738620",
            "length": 1056.0
        },
        "id": "CVE-2022-48726-7b051366",
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "target": {
            "function": "ucma_process_join",
            "file": "drivers/infiniband/core/ucma.c"
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
        "digest": {
            "function_hash": "207430315606732822852992155948179578125",
            "length": 1670.0
        },
        "id": "CVE-2022-48726-8dba040d",
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "target": {
            "function": "ucma_cleanup_multicast",
            "file": "drivers/infiniband/core/ucma.c"
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
        "digest": {
            "function_hash": "53043868946418596090555698912593938965",
            "length": 226.0
        },
        "id": "CVE-2022-48726-af5c96ad",
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "drivers/infiniband/core/ucma.c"
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@75c610212b9f1756b9384911d3a2c347eee8031c",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "109461504352215854073198901161384241889",
                "288726256777328272187354886718745586438",
                "200250874721577587199394947227316510004",
                "313701977852333943205581975620485558880",
                "92291237538396318292327494512074061608",
                "167218098908831743650246764445606497792",
                "263902275510144973335104387070501515074",
                "4974593048297909754802696970034792927",
                "232635322623969211241478830205735473616",
                "151457581941818207427903733777720132877",
                "114192607055221158996784455211819806995",
                "190396113834059664737473640629392315932",
                "290955844275290609860548797460743593845",
                "69735046602438382638409611678684010313",
                "209958123025787519797633615901813065974",
                "57734373900869511363302404063293141160",
                "250417513233593141096139078185704194287",
                "177692640394286657622374179518766033678",
                "96976455853893181446834946458350381899",
                "235549892122639332156341491243909777318",
                "197069940523379094769121065790279883317",
                "22589900548797604645165449996487914396",
                "191399223218663432210889543800943540835",
                "137111056718391886871679457159522681379",
                "238924488921479172433341554053150839306",
                "184165841024792829907013642762769852636",
                "33674481425854804341786637674584833004",
                "211466973986514052025697427219225047111",
                "273417656657593365123318182525659988167",
                "57778572093948604544176605927054906722",
                "138770761923554715709351683409118825063",
                "133202268855943196729363623545542995404",
                "238218874393727184158550720333780150125",
                "65192443627289154674207746244929180756",
                "17528980807616413257512608504798605685",
                "2957149270164045820900206031840594349",
                "318456537538170701615314832555230762358",
                "98935767764309814114456300828940357196",
                "112886967645980396806047999494327290749",
                "82211058569561722217425376055303813112",
                "89619088560109744268529998633705901770",
                "22986447025974306963463147206017069820",
                "123987136969086626660165237984671847825",
                "162367003090114702087781068548349405908",
                "305246074710580288651162210853562743555",
                "98578990322977724427742674549766384668"
            ]
        },
        "id": "CVE-2022-48726-c136f1e3",
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.10.0

Fixed

5.10.99

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.22

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.16.8