In the Linux kernel, the following vulnerability has been resolved:
memcg: fix possible use-after-free in memcgwriteevent_control()
memcgwriteeventcontrol() accesses the dentry->dname of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too.
Prior to 347c4a874710 ("memcg: remove cgroupevent->cft"), there was a call to _filecft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from _filecft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the dname and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's.
Fix the bug by resurrecting the file type check in _filecft(). Now that cgroupfs is implemented through kernfs, checking the file operations needs to go through a layer of indirection. Instead, let's check the superblock and dentry type.
{ "vanir_signatures": [ { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "131131080031059583973056184652901458632", "120038855180224988911685403846730250717", "206657593666141675931938864117121010498" ] }, "id": "CVE-2022-48988-1033492c", "deprecated": false, "target": { "file": "include/linux/cgroup.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e1ae97624ecf400ea56c238bff23e5cd139df0b8" }, { "signature_version": "v1", "digest": { "length": 2749.0, "function_hash": "13829442071334002542662847781431225461" }, "id": "CVE-2022-48988-13b9917d", "deprecated": false, "target": { "file": "mm/memcontrol.c", "function": "memcg_write_event_control" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e1ae97624ecf400ea56c238bff23e5cd139df0b8" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "79975611068060258724462758901661265091", "199816738037999465212685957999095382201", "84914071836529734814213091665094582272", "279189229696610449244160328363187448501", "104473385814770552924831390416002710373", "113718357627120965410255893416275912409", "63755454185455889651997644070186834233", "278729411673887484455491384650948984879", "143550818909015912294395225701101380900", "196498156335507242726170284127885139938", "155316922871735882522350232550677081723", "34233175191714982192077940746119686067" ] }, "id": "CVE-2022-48988-27991e48", "deprecated": false, "target": { "file": "mm/memcontrol.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a7ba45b1a435e7097ca0f79a847d0949d0eb088" }, { "signature_version": "v1", "digest": { "length": 2749.0, "function_hash": "13829442071334002542662847781431225461" }, "id": "CVE-2022-48988-34bfa223", "deprecated": false, "target": { "file": "mm/memcontrol.c", "function": "memcg_write_event_control" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35963b31821920908e397146502066f6b032c917" }, { "signature_version": "v1", "digest": { "length": 2767.0, "function_hash": "169172268407380413226538728767189921241" }, "id": "CVE-2022-48988-35b679c3", "deprecated": false, "target": { "file": "mm/memcontrol.c", "function": "memcg_write_event_control" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b77600e26fd48727a95ffd50ba1e937efb548125" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "83089095526772817653816770118823419646", "262359170411114634663209488913915357215", "229686965349976509158844008520136423675", "66210024757204847858147671966385048140" ] }, "id": "CVE-2022-48988-3b8514f9", "deprecated": false, "target": { "file": "kernel/cgroup/cgroup-internal.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0ed074317b835caa6c03bcfa8f133365324673dc" }, { "signature_version": "v1", "digest": { "length": 2796.0, "function_hash": "190859420971054012617743573496223773065" }, "id": "CVE-2022-48988-3ddc1d1d", "deprecated": false, "target": { "file": "mm/memcontrol.c", "function": "memcg_write_event_control" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a7ba45b1a435e7097ca0f79a847d0949d0eb088" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "79975611068060258724462758901661265091", "199816738037999465212685957999095382201", "84914071836529734814213091665094582272", "279189229696610449244160328363187448501", "104473385814770552924831390416002710373", "113718357627120965410255893416275912409", "63755454185455889651997644070186834233", "278729411673887484455491384650948984879", "143550818909015912294395225701101380900", "196498156335507242726170284127885139938", "155316922871735882522350232550677081723", "34233175191714982192077940746119686067" ] }, "id": "CVE-2022-48988-54c6544f", "deprecated": false, "target": { "file": "mm/memcontrol.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aad8bbd17a1d586005feb9226c2e9cfce1432e13" }, { "signature_version": "v1", "digest": { "length": 2736.0, "function_hash": "42739806850568255936492218102371332513" }, "id": "CVE-2022-48988-5bfcc48c", "deprecated": false, "target": { "file": "mm/memcontrol.c", "function": "memcg_write_event_control" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aad8bbd17a1d586005feb9226c2e9cfce1432e13" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "79975611068060258724462758901661265091", "199816738037999465212685957999095382201", "84914071836529734814213091665094582272", "279189229696610449244160328363187448501", "104473385814770552924831390416002710373", "113718357627120965410255893416275912409", "63755454185455889651997644070186834233", "278729411673887484455491384650948984879", "143550818909015912294395225701101380900", "196498156335507242726170284127885139938", "155316922871735882522350232550677081723", "34233175191714982192077940746119686067" ] }, "id": "CVE-2022-48988-6479bc7f", "deprecated": false, "target": { "file": "mm/memcontrol.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0ed074317b835caa6c03bcfa8f133365324673dc" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "83089095526772817653816770118823419646", "262359170411114634663209488913915357215", "229686965349976509158844008520136423675", "66210024757204847858147671966385048140" ] }, "id": "CVE-2022-48988-667569b9", "deprecated": false, "target": { "file": "kernel/cgroup/cgroup-internal.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b77600e26fd48727a95ffd50ba1e937efb548125" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "83089095526772817653816770118823419646", "262359170411114634663209488913915357215", "229686965349976509158844008520136423675", "66210024757204847858147671966385048140" ] }, "id": "CVE-2022-48988-6e6a78ac", "deprecated": false, "target": { "file": "kernel/cgroup/cgroup-internal.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1f7f36cf682fa59db15e2089039a2eeb58ff2ad" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "131131080031059583973056184652901458632", "120038855180224988911685403846730250717", "206657593666141675931938864117121010498" ] }, "id": "CVE-2022-48988-746fbc21", "deprecated": false, "target": { "file": "include/linux/cgroup.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0ed074317b835caa6c03bcfa8f133365324673dc" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "131131080031059583973056184652901458632", "120038855180224988911685403846730250717", "206657593666141675931938864117121010498" ] }, "id": "CVE-2022-48988-7f3e0639", "deprecated": false, "target": { "file": "include/linux/cgroup.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aad8bbd17a1d586005feb9226c2e9cfce1432e13" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "79975611068060258724462758901661265091", "199816738037999465212685957999095382201", "84914071836529734814213091665094582272", "279189229696610449244160328363187448501", "281703251140454825688637241852738415709", "113718357627120965410255893416275912409", "63755454185455889651997644070186834233", "278729411673887484455491384650948984879", "143550818909015912294395225701101380900", "196498156335507242726170284127885139938", "155316922871735882522350232550677081723", "34233175191714982192077940746119686067" ] }, "id": "CVE-2022-48988-7fdf7023", "deprecated": false, "target": { "file": "mm/memcontrol.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1f7f36cf682fa59db15e2089039a2eeb58ff2ad" }, { "signature_version": "v1", "digest": { "length": 2796.0, "function_hash": "190859420971054012617743573496223773065" }, "id": "CVE-2022-48988-923f7f32", "deprecated": false, "target": { "file": "mm/memcontrol.c", "function": "memcg_write_event_control" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0ed074317b835caa6c03bcfa8f133365324673dc" }, { "signature_version": "v1", "digest": { "length": 2749.0, "function_hash": "13829442071334002542662847781431225461" }, "id": "CVE-2022-48988-932c285d", "deprecated": false, "target": { "file": "mm/memcontrol.c", "function": "memcg_write_event_control" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1f7f36cf682fa59db15e2089039a2eeb58ff2ad" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "79975611068060258724462758901661265091", "199816738037999465212685957999095382201", "84914071836529734814213091665094582272", "279189229696610449244160328363187448501", "281703251140454825688637241852738415709", "113718357627120965410255893416275912409", "63755454185455889651997644070186834233", "278729411673887484455491384650948984879", "143550818909015912294395225701101380900", "196498156335507242726170284127885139938", "155316922871735882522350232550677081723", "34233175191714982192077940746119686067" ] }, "id": "CVE-2022-48988-95f98ea6", "deprecated": false, "target": { "file": "mm/memcontrol.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b77600e26fd48727a95ffd50ba1e937efb548125" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "83089095526772817653816770118823419646", "262359170411114634663209488913915357215", "229686965349976509158844008520136423675", "66210024757204847858147671966385048140" ] }, "id": "CVE-2022-48988-960f7d00", "deprecated": false, "target": { "file": "kernel/cgroup/cgroup-internal.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35963b31821920908e397146502066f6b032c917" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "83089095526772817653816770118823419646", "262359170411114634663209488913915357215", "229686965349976509158844008520136423675", "66210024757204847858147671966385048140" ] }, "id": "CVE-2022-48988-9c52e121", "deprecated": false, "target": { "file": "kernel/cgroup/cgroup-internal.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a7ba45b1a435e7097ca0f79a847d0949d0eb088" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "131131080031059583973056184652901458632", "120038855180224988911685403846730250717", "206657593666141675931938864117121010498" ] }, "id": "CVE-2022-48988-a705f6be", "deprecated": false, "target": { "file": "include/linux/cgroup.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4a7ba45b1a435e7097ca0f79a847d0949d0eb088" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "83089095526772817653816770118823419646", "262359170411114634663209488913915357215", "229686965349976509158844008520136423675", "66210024757204847858147671966385048140" ] }, "id": "CVE-2022-48988-b4c9301e", "deprecated": false, "target": { "file": "kernel/cgroup/cgroup-internal.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e1ae97624ecf400ea56c238bff23e5cd139df0b8" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "79975611068060258724462758901661265091", "199816738037999465212685957999095382201", "84914071836529734814213091665094582272", "279189229696610449244160328363187448501", "281703251140454825688637241852738415709", "113718357627120965410255893416275912409", "63755454185455889651997644070186834233", "278729411673887484455491384650948984879", "143550818909015912294395225701101380900", "196498156335507242726170284127885139938", "155316922871735882522350232550677081723", "34233175191714982192077940746119686067" ] }, "id": "CVE-2022-48988-d4a4a445", "deprecated": false, "target": { "file": "mm/memcontrol.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35963b31821920908e397146502066f6b032c917" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "131131080031059583973056184652901458632", "120038855180224988911685403846730250717", "206657593666141675931938864117121010498" ] }, "id": "CVE-2022-48988-d5bbf67e", "deprecated": false, "target": { "file": "include/linux/cgroup.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@35963b31821920908e397146502066f6b032c917" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "79975611068060258724462758901661265091", "199816738037999465212685957999095382201", "84914071836529734814213091665094582272", "279189229696610449244160328363187448501", "281703251140454825688637241852738415709", "113718357627120965410255893416275912409", "63755454185455889651997644070186834233", "278729411673887484455491384650948984879", "143550818909015912294395225701101380900", "196498156335507242726170284127885139938", "155316922871735882522350232550677081723", "34233175191714982192077940746119686067" ] }, "id": "CVE-2022-48988-e5ee1c48", "deprecated": false, "target": { "file": "mm/memcontrol.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e1ae97624ecf400ea56c238bff23e5cd139df0b8" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "131131080031059583973056184652901458632", "120038855180224988911685403846730250717", "206657593666141675931938864117121010498" ] }, "id": "CVE-2022-48988-e9ada0c4", "deprecated": false, "target": { "file": "include/linux/cgroup.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f1f7f36cf682fa59db15e2089039a2eeb58ff2ad" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "83089095526772817653816770118823419646", "262359170411114634663209488913915357215", "229686965349976509158844008520136423675", "66210024757204847858147671966385048140" ] }, "id": "CVE-2022-48988-f93780fb", "deprecated": false, "target": { "file": "kernel/cgroup/cgroup-internal.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@aad8bbd17a1d586005feb9226c2e9cfce1432e13" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "131131080031059583973056184652901458632", "120038855180224988911685403846730250717", "206657593666141675931938864117121010498" ] }, "id": "CVE-2022-48988-f96dc374", "deprecated": false, "target": { "file": "include/linux/cgroup.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b77600e26fd48727a95ffd50ba1e937efb548125" } ] }