CVE-2022-48892
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48892
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48892.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-48892
- Related
- Published
- 2024-08-21T07:15:05Z
- Modified
- 2024-09-11T02:00:05Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
sched/core: Fix use-after-free bug in dupusercpus_ptr()
Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems"), the setting and clearing of usercpusptr are done under pilock for arm64 architecture. However, dupusercpusptr() accesses usercpusptr without any lock protection. Since schedsetaffinity() can be invoked from another process, the process being modified may be undergoing fork() at the same time. When racing with the clearing of usercpusptr in _setcpusallowedptrlocked(), it can lead to user-after-free and possibly double-free in arm64 kernel.
Commit 8f9ea86fdf99 ("sched: Always preserve the user requested cpumask") fixes this problem as usercpusptr, once set, will never be cleared in a task's lifetime. However, this bug was re-introduced in commit 851a723e45d1 ("sched: Always clear usercpusptr in dosetcpusallowed()") which allows the clearing of usercpusptr in dosetcpusallowed(). This time, it will affect all arches.
Fix this bug by always clearing the usercpusptr of the newly cloned/forked task before the copying process starts and check the usercpusptr state of the source task under pi_lock.
Note to stable, this patch won't be applicable to stable releases. Just copy the new dupusercpus_ptr() function over.
- References
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source