gsd-2022-48649
Vulnerability from gsd
Modified
2024-02-26 06:00
Details
In the Linux kernel, the following vulnerability has been resolved:
mm/slab_common: fix possible double free of kmem_cache
When doing slub_debug test, kfence's 'test_memcache_typesafe_by_rcu'
kunit test case cause a use-after-free error:
BUG: KASAN: use-after-free in kobject_del+0x14/0x30
Read of size 8 at addr ffff888007679090 by task kunit_try_catch/261
CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G B N 6.0.0-rc5-next-20220916 #17
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x48
print_address_description.constprop.0+0x87/0x2a5
print_report+0x103/0x1ed
kasan_report+0xb7/0x140
kobject_del+0x14/0x30
kmem_cache_destroy+0x130/0x170
test_exit+0x1a/0x30
kunit_try_run_case+0xad/0xc0
kunit_generic_run_threadfn_adapter+0x26/0x50
kthread+0x17b/0x1b0
</TASK>
The cause is inside kmem_cache_destroy():
kmem_cache_destroy
acquire lock/mutex
shutdown_cache
schedule_work(kmem_cache_release) (if RCU flag set)
release lock/mutex
kmem_cache_release (if RCU flag not set)
In some certain timing, the scheduled work could be run before
the next RCU flag checking, which can then get a wrong value
and lead to double kmem_cache_release().
Fix it by caching the RCU flag inside protected area, just like 'refcnt'
Aliases
{ "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2022-48649" ], "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab_common: fix possible double free of kmem_cache\n\nWhen doing slub_debug test, kfence\u0027s \u0027test_memcache_typesafe_by_rcu\u0027\nkunit test case cause a use-after-free error:\n\n BUG: KASAN: use-after-free in kobject_del+0x14/0x30\n Read of size 8 at addr ffff888007679090 by task kunit_try_catch/261\n\n CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G B N 6.0.0-rc5-next-20220916 #17\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x48\n print_address_description.constprop.0+0x87/0x2a5\n print_report+0x103/0x1ed\n kasan_report+0xb7/0x140\n kobject_del+0x14/0x30\n kmem_cache_destroy+0x130/0x170\n test_exit+0x1a/0x30\n kunit_try_run_case+0xad/0xc0\n kunit_generic_run_threadfn_adapter+0x26/0x50\n kthread+0x17b/0x1b0\n \u003c/TASK\u003e\n\nThe cause is inside kmem_cache_destroy():\n\nkmem_cache_destroy\n acquire lock/mutex\n shutdown_cache\n schedule_work(kmem_cache_release) (if RCU flag set)\n release lock/mutex\n kmem_cache_release (if RCU flag not set)\n\nIn some certain timing, the scheduled work could be run before\nthe next RCU flag checking, which can then get a wrong value\nand lead to double kmem_cache_release().\n\nFix it by caching the RCU flag inside protected area, just like \u0027refcnt\u0027", "id": "GSD-2022-48649", "modified": "2024-02-26T06:00:31.604685Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "cve@kernel.org", "ID": "CVE-2022-48649", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Linux", "version": { "version_data": [ { "version_affected": "\u003c", "version_name": "357321557920", "version_value": "c673c6ceac53" }, { "version_affected": "\u003c", "version_name": "0495e337b703", "version_value": "d71608a87736" }, { "version_affected": "\u003c", "version_name": "5.19.8", "version_value": "5.19.12" } ] } } ] }, "vendor_name": "Linux" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab_common: fix possible double free of kmem_cache\n\nWhen doing slub_debug test, kfence\u0027s \u0027test_memcache_typesafe_by_rcu\u0027\nkunit test case cause a use-after-free error:\n\n BUG: KASAN: use-after-free in kobject_del+0x14/0x30\n Read of size 8 at addr ffff888007679090 by task kunit_try_catch/261\n\n CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G B N 6.0.0-rc5-next-20220916 #17\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x48\n print_address_description.constprop.0+0x87/0x2a5\n print_report+0x103/0x1ed\n kasan_report+0xb7/0x140\n kobject_del+0x14/0x30\n kmem_cache_destroy+0x130/0x170\n test_exit+0x1a/0x30\n kunit_try_run_case+0xad/0xc0\n kunit_generic_run_threadfn_adapter+0x26/0x50\n kthread+0x17b/0x1b0\n \u003c/TASK\u003e\n\nThe cause is inside kmem_cache_destroy():\n\nkmem_cache_destroy\n acquire lock/mutex\n shutdown_cache\n schedule_work(kmem_cache_release) (if RCU flag set)\n release lock/mutex\n kmem_cache_release (if RCU flag not set)\n\nIn some certain timing, the scheduled work could be run before\nthe next RCU flag checking, which can then get a wrong value\nand lead to double kmem_cache_release().\n\nFix it by caching the RCU flag inside protected area, just like \u0027refcnt\u0027" } ] }, "generator": { "engine": "bippy-d175d3acf727" }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://git.kernel.org/stable/c/c673c6ceac53fb2e631c9fbbd79957099a08927f", "refsource": "MISC", "url": "https://git.kernel.org/stable/c/c673c6ceac53fb2e631c9fbbd79957099a08927f" }, { "name": "https://git.kernel.org/stable/c/d71608a877362becdc94191f190902fac1e64d35", "refsource": "MISC", "url": "https://git.kernel.org/stable/c/d71608a877362becdc94191f190902fac1e64d35" } ] } }, "nvd.nist.gov": { "cve": { "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/slab_common: fix possible double free of kmem_cache\n\nWhen doing slub_debug test, kfence\u0027s \u0027test_memcache_typesafe_by_rcu\u0027\nkunit test case cause a use-after-free error:\n\n BUG: KASAN: use-after-free in kobject_del+0x14/0x30\n Read of size 8 at addr ffff888007679090 by task kunit_try_catch/261\n\n CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G B N 6.0.0-rc5-next-20220916 #17\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x48\n print_address_description.constprop.0+0x87/0x2a5\n print_report+0x103/0x1ed\n kasan_report+0xb7/0x140\n kobject_del+0x14/0x30\n kmem_cache_destroy+0x130/0x170\n test_exit+0x1a/0x30\n kunit_try_run_case+0xad/0xc0\n kunit_generic_run_threadfn_adapter+0x26/0x50\n kthread+0x17b/0x1b0\n \u003c/TASK\u003e\n\nThe cause is inside kmem_cache_destroy():\n\nkmem_cache_destroy\n acquire lock/mutex\n shutdown_cache\n schedule_work(kmem_cache_release) (if RCU flag set)\n release lock/mutex\n kmem_cache_release (if RCU flag not set)\n\nIn some certain timing, the scheduled work could be run before\nthe next RCU flag checking, which can then get a wrong value\nand lead to double kmem_cache_release().\n\nFix it by caching the RCU flag inside protected area, just like \u0027refcnt\u0027" } ], "id": "CVE-2022-48649", "lastModified": "2024-04-28T13:15:07.333", "metrics": {}, "published": "2024-04-28T13:15:07.333", "references": [ { "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c673c6ceac53fb2e631c9fbbd79957099a08927f" }, { "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d71608a877362becdc94191f190902fac1e64d35" } ], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received" } } } }
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.