ghsa-9593-f5wq-r2vm
Vulnerability from github
Published
2024-10-21 21:30
Modified
2024-11-01 15:31
Severity ?
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

memcg: fix possible use-after-free in memcg_write_event_control()

memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too.

Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's.

Fix the bug by resurrecting the file type check in __file_cft(). Now that cgroupfs is implemented through kernfs, checking the file operations needs to go through a layer of indirection. Instead, let's check the superblock and dentry type.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-48988"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemcg: fix possible use-after-free in memcg_write_event_control()\n\nmemcg_write_event_control() accesses the dentry-\u003ed_name of the specified\ncontrol fd to route the write call.  As a cgroup interface file can\u0027t be\nrenamed, it\u0027s safe to access d_name as long as the specified file is a\nregular cgroup file.  Also, as these cgroup interface files can\u0027t be\nremoved before the directory, it\u0027s safe to access the parent too.\n\nPrior to 347c4a874710 (\"memcg: remove cgroup_event-\u003ecft\"), there was a\ncall to __file_cft() which verified that the specified file is a regular\ncgroupfs file before further accesses.  The cftype pointer returned from\n__file_cft() was no longer necessary and the commit inadvertently dropped\nthe file type check with it allowing any file to slip through.  With the\ninvarients broken, the d_name and parent accesses can now race against\nrenames and removals of arbitrary files and cause use-after-free\u0027s.\n\nFix the bug by resurrecting the file type check in __file_cft().  Now that\ncgroupfs is implemented through kernfs, checking the file operations needs\nto go through a layer of indirection.  Instead, let\u0027s check the superblock\nand dentry type.",
  "id": "GHSA-9593-f5wq-r2vm",
  "modified": "2024-11-01T15:31:46Z",
  "published": "2024-10-21T21:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48988"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0ed074317b835caa6c03bcfa8f133365324673dc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/35963b31821920908e397146502066f6b032c917"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4a7ba45b1a435e7097ca0f79a847d0949d0eb088"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aad8bbd17a1d586005feb9226c2e9cfce1432e13"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b77600e26fd48727a95ffd50ba1e937efb548125"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e1ae97624ecf400ea56c238bff23e5cd139df0b8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f1f7f36cf682fa59db15e2089039a2eeb58ff2ad"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.