CVE-2022-48988

Updated: 2024-11-04 14:02:46.388442

Description:

In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). Now that cgroupfs is implemented through kernfs, checking the file operations needs to go through a layer of indirection. Instead, let's check the superblock and dentry type.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x HIGH 7

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

AlmaLinux 9.2 ESU kernel 5.14.0 7.0 HIGH Released CLSA-2025:1738671431 2025-02-05 02:57:08
AlmaLinux 9.2 FIPS kernel 5.14.0 7.0 HIGH Released CLSA-2025:1738670922 2025-02-05 02:13:43
CentOS 8.4 ELS kernel 4.18.0 7.0 HIGH Released CLSA-2024:1731430561 2024-11-12 13:31:53
CentOS 8.5 ELS kernel 4.18.0 7.0 HIGH In Testing CLSA-2024:1731431059 2025-02-11 00:37:19
CentOS Stream 8 ELS kernel 4.18.0 7.0 HIGH Already Fixed 2025-02-19 06:50:31
Ubuntu 16.04 ELS linux 4.4.0 7.0 HIGH In Testing CLSA-2024:1731605761 2025-02-01 23:55:37
Ubuntu 16.04 ELS linux-hwe 4.15.0 7.0 HIGH Already Fixed 2024-11-07 12:03:11