CVE-2022-49567

In the Linux kernel, the following vulnerability has been resolved:

mm/mempolicy: fix uninit-value in mpolrebindpolicy()

mpolsetnodemask()(mm/mempolicy.c) does not set up nodemask when pol->mode is MPOLLOCAL. Check pol->mode before access pol->w.cpusetmemsallowed in mpolrebind_policy()(mm/mempolicy.c).

BUG: KMSAN: uninit-value in mpolrebindpolicy mm/mempolicy.c:352 [inline] BUG: KMSAN: uninit-value in mpolrebindtask+0x2ac/0x2c0 mm/mempolicy.c:368 mpolrebindpolicy mm/mempolicy.c:352 [inline] mpolrebindtask+0x2ac/0x2c0 mm/mempolicy.c:368 cpusetchangetasknodemask kernel/cgroup/cpuset.c:1711 [inline] cpusetattach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278 cgroupmigrateexecute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515 cgroupmigrate kernel/cgroup/cgroup.c:2771 [inline] cgroupattachtask+0x540/0x8b0 kernel/cgroup/cgroup.c:2804 _cgroup1procswrite+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520 cgroup1taskswrite+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539 cgroupfilewrite+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852 kernfsfopwriteiter+0x66a/0x9f0 fs/kernfs/file.c:296 callwriteiter include/linux/fs.h:2162 [inline] newsyncwrite fs/readwrite.c:503 [inline] vfswrite+0x1318/0x2030 fs/readwrite.c:590 ksyswrite+0x28b/0x510 fs/readwrite.c:643 _dosyswrite fs/readwrite.c:655 [inline] _sesyswrite fs/readwrite.c:652 [inline] _x64syswrite+0xdb/0x120 fs/readwrite.c:652 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x54/0xd0 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x44/0xae

Uninit was created at: slabpostallochook mm/slab.h:524 [inline] slaballocnode mm/slub.c:3251 [inline] slaballoc mm/slub.c:3259 [inline] kmemcachealloc+0x902/0x11c0 mm/slub.c:3264 mpolnew mm/mempolicy.c:293 [inline] dosetmempolicy+0x421/0xb70 mm/mempolicy.c:853 kernelsetmempolicy mm/mempolicy.c:1504 [inline] _dosyssetmempolicy mm/mempolicy.c:1510 [inline] _sesyssetmempolicy+0x44c/0xb60 mm/mempolicy.c:1507 _x64syssetmempolicy+0xd8/0x110 mm/mempolicy.c:1507 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x54/0xd0 arch/x86/entry/common.c:82 entrySYSCALL64after_hwframe+0x44/0xae

KMSAN: uninit-value in mpolrebindtask (2) https://syzkaller.appspot.com/bug?id=d6eb90f952c2a5de9ea718a1b873c55cb13b59dc

This patch seems to fix below bug too. KMSAN: uninit-value in mpolrebindmm (2) https://syzkaller.appspot.com/bug?id=f2fecd0d7013f54ec4162f60743a2b28df40926b

The uninit-value is pol->w.cpusetmemsallowed in mpolrebindpolicy(). When syzkaller reproducer runs to the beginning of mpol_new(),

    mpol_new() mm/mempolicy.c
  do_mbind() mm/mempolicy.c
kernel_mbind() mm/mempolicy.c

mode is 1(MPOLPREFERRED), nodesempty(*nodes) is true and flags is 0. Then

mode = MPOL_LOCAL;
...
policy->mode = mode;
policy->flags = flags;

will be executed. So in mpolsetnodemask(),

    mpol_set_nodemask() mm/mempolicy.c
  do_mbind()
kernel_mbind()

pol->mode is 4 (MPOLLOCAL), that nodemask in pol is not initialized, which will be accessed in mpolrebind_policy().