CVE-2022-48892
- Source
- https://cve.org/CVERecord?id=CVE-2022-48892
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48892.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-48892
- Downstream
- Published
- 2024-08-21T06:10:24.407Z
- Modified
- 2025-11-28T08:55:19.519107Z
- Summary
- sched/core: Fix use-after-free bug in dup_user_cpus_ptr()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
sched/core: Fix use-after-free bug in dupusercpus_ptr()
Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems"), the setting and clearing of usercpusptr are done under pilock for arm64 architecture. However, dupusercpusptr() accesses usercpusptr without any lock protection. Since schedsetaffinity() can be invoked from another process, the process being modified may be undergoing fork() at the same time. When racing with the clearing of usercpusptr in _setcpusallowedptrlocked(), it can lead to user-after-free and possibly double-free in arm64 kernel.
Commit 8f9ea86fdf99 ("sched: Always preserve the user requested cpumask") fixes this problem as usercpusptr, once set, will never be cleared in a task's lifetime. However, this bug was re-introduced in commit 851a723e45d1 ("sched: Always clear usercpusptr in dosetcpusallowed()") which allows the clearing of usercpusptr in dosetcpusallowed(). This time, it will affect all arches.
Fix this bug by always clearing the usercpusptr of the newly cloned/forked task before the copying process starts and check the usercpusptr state of the source task under pi_lock.
Note to stable, this patch won't be applicable to stable releases. Just copy the new dupusercpus_ptr() function over.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48892.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/7b5cc7fd1789ea5dbb942c9f8207b076d365badc
- https://git.kernel.org/stable/c/87ca4f9efbd7cc649ff43b87970888f2812945b8
- https://git.kernel.org/stable/c/b22faa21b6230d5eccd233e1b7e0026a5002b287
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48892.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-48892
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced07ec77a1d4e82526e1588979fff2f024f8e96df2Fixedb22faa21b6230d5eccd233e1b7e0026a5002b287Fixed7b5cc7fd1789ea5dbb942c9f8207b076d365badcFixed87ca4f9efbd7cc649ff43b87970888f2812945b8
Affected versions
v5.*
v5.13
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.64
v5.15.65
v5.15.66
v5.15.67
v5.15.68
v5.15.69
v5.15.7
v5.15.70
v5.15.71
v5.15.72
v5.15.73
v5.15.74
v5.15.75
v5.15.76
v5.15.77
v5.15.78
v5.15.79
v5.15.8
v5.15.80
v5.15.81
v5.15.82
v5.15.83
v5.15.84
v5.15.85
v5.15.86
v5.15.87
v5.15.88
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v6.*
v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.1
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.2-rc1
v6.2-rc2
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48892.json"
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87ca4f9efbd7cc649ff43b87970888f2812945b8",
"digest": {
"line_hashes": [
"335621208492106424648164593218419293210",
"334116565855227139532758503379489860227",
"280057267262933350503240997138056165753",
"23198957317007204334797665754405792561",
"234559761939645135011242431503809762756",
"175545754322065656629872642440834644047",
"254550220582050198270451070203184834004",
"14982071845683415689368569598091192336",
"42179668038557129765411276538107521411",
"33895789292149597590183192268030619737",
"315154702984601910009229203653770200212",
"122562749494679325484426769191061314284",
"133957541974154925408653994442672128203"
],
"threshold": 0.9
},
"id": "CVE-2022-48892-1591a041",
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "kernel/sched/core.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b22faa21b6230d5eccd233e1b7e0026a5002b287",
"digest": {
"length": 307.0,
"function_hash": "322164365089504331627945904994898897734"
},
"id": "CVE-2022-48892-40bc76f6",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "kernel/sched/core.c",
"function": "dup_user_cpus_ptr"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b22faa21b6230d5eccd233e1b7e0026a5002b287",
"digest": {
"line_hashes": [
"81357071479017051774177805373404907986",
"233720896326245864115894653705460198850",
"53830800188662238899020709874274123553",
"175545754322065656629872642440834644047",
"254550220582050198270451070203184834004",
"15232182160989248387068828032853190470",
"44121585410039577698669671479449495342",
"256350503675029446711932725878836424351",
"80053623993350237984844994718410421426"
],
"threshold": 0.9
},
"id": "CVE-2022-48892-5981bbaf",
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "kernel/sched/core.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@87ca4f9efbd7cc649ff43b87970888f2812945b8",
"digest": {
"length": 408.0,
"function_hash": "155248760189280380266391206419248618570"
},
"id": "CVE-2022-48892-6aef4ba9",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "kernel/sched/core.c",
"function": "dup_user_cpus_ptr"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7b5cc7fd1789ea5dbb942c9f8207b076d365badc",
"digest": {
"line_hashes": [
"81357071479017051774177805373404907986",
"233720896326245864115894653705460198850",
"53830800188662238899020709874274123553",
"175545754322065656629872642440834644047",
"254550220582050198270451070203184834004",
"15232182160989248387068828032853190470",
"44121585410039577698669671479449495342",
"256350503675029446711932725878836424351",
"80053623993350237984844994718410421426"
],
"threshold": 0.9
},
"id": "CVE-2022-48892-93ac5969",
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"target": {
"file": "kernel/sched/core.c"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7b5cc7fd1789ea5dbb942c9f8207b076d365badc",
"digest": {
"length": 307.0,
"function_hash": "322164365089504331627945904994898897734"
},
"id": "CVE-2022-48892-a0bf1101",
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"target": {
"file": "kernel/sched/core.c",
"function": "dup_user_cpus_ptr"
}
}
]