CVE-2022-49567
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
10/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mm/mempolicy: fix uninit-value in mpol_rebind_policy()<br />
<br />
mpol_set_nodemask()(mm/mempolicy.c) does not set up nodemask when<br />
pol->mode is MPOL_LOCAL. Check pol->mode before access<br />
pol->w.cpuset_mems_allowed in mpol_rebind_policy()(mm/mempolicy.c).<br />
<br />
BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:352 [inline]<br />
BUG: KMSAN: uninit-value in mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368<br />
mpol_rebind_policy mm/mempolicy.c:352 [inline]<br />
mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368<br />
cpuset_change_task_nodemask kernel/cgroup/cpuset.c:1711 [inline]<br />
cpuset_attach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278<br />
cgroup_migrate_execute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515<br />
cgroup_migrate kernel/cgroup/cgroup.c:2771 [inline]<br />
cgroup_attach_task+0x540/0x8b0 kernel/cgroup/cgroup.c:2804<br />
__cgroup1_procs_write+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520<br />
cgroup1_tasks_write+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539<br />
cgroup_file_write+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852<br />
kernfs_fop_write_iter+0x66a/0x9f0 fs/kernfs/file.c:296<br />
call_write_iter include/linux/fs.h:2162 [inline]<br />
new_sync_write fs/read_write.c:503 [inline]<br />
vfs_write+0x1318/0x2030 fs/read_write.c:590<br />
ksys_write+0x28b/0x510 fs/read_write.c:643<br />
__do_sys_write fs/read_write.c:655 [inline]<br />
__se_sys_write fs/read_write.c:652 [inline]<br />
__x64_sys_write+0xdb/0x120 fs/read_write.c:652<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
<br />
Uninit was created at:<br />
slab_post_alloc_hook mm/slab.h:524 [inline]<br />
slab_alloc_node mm/slub.c:3251 [inline]<br />
slab_alloc mm/slub.c:3259 [inline]<br />
kmem_cache_alloc+0x902/0x11c0 mm/slub.c:3264<br />
mpol_new mm/mempolicy.c:293 [inline]<br />
do_set_mempolicy+0x421/0xb70 mm/mempolicy.c:853<br />
kernel_set_mempolicy mm/mempolicy.c:1504 [inline]<br />
__do_sys_set_mempolicy mm/mempolicy.c:1510 [inline]<br />
__se_sys_set_mempolicy+0x44c/0xb60 mm/mempolicy.c:1507<br />
__x64_sys_set_mempolicy+0xd8/0x110 mm/mempolicy.c:1507<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
<br />
KMSAN: uninit-value in mpol_rebind_task (2)<br />
https://syzkaller.appspot.com/bug?id=d6eb90f952c2a5de9ea718a1b873c55cb13b59dc<br />
<br />
This patch seems to fix below bug too.<br />
KMSAN: uninit-value in mpol_rebind_mm (2)<br />
https://syzkaller.appspot.com/bug?id=f2fecd0d7013f54ec4162f60743a2b28df40926b<br />
<br />
The uninit-value is pol->w.cpuset_mems_allowed in mpol_rebind_policy().<br />
When syzkaller reproducer runs to the beginning of mpol_new(),<br />
<br />
mpol_new() mm/mempolicy.c<br />
do_mbind() mm/mempolicy.c<br />
kernel_mbind() mm/mempolicy.c<br />
<br />
`mode` is 1(MPOL_PREFERRED), nodes_empty(*nodes) is `true` and `flags`<br />
is 0. Then<br />
<br />
mode = MPOL_LOCAL;<br />
...<br />
policy->mode = mode;<br />
policy->flags = flags;<br />
<br />
will be executed. So in mpol_set_nodemask(),<br />
<br />
mpol_set_nodemask() mm/mempolicy.c<br />
do_mbind()<br />
kernel_mbind()<br />
<br />
pol->mode is 4 (MPOL_LOCAL), that `nodemask` in `pol` is not initialized,<br />
which will be accessed in mpol_rebind_policy().
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.9.325 (excluding) | |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.10 (including) | 4.14.290 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.254 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.208 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.134 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.58 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 5.18.15 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/018160ad314d75b1409129b2247b614a9f35894c
- https://git.kernel.org/stable/c/13d51565cec1aa432a6ab363edc2bbc53c6f49cb
- https://git.kernel.org/stable/c/5735845906fb1d90fe597f8b503fc0a857d475e3
- https://git.kernel.org/stable/c/777e563f10e91e91130fe06bee85220d508e7b9b
- https://git.kernel.org/stable/c/8c5429a04ccd8dbcc3c753dab2f4126774ec28d4
- https://git.kernel.org/stable/c/a1f8765f68bc9bf5744b365bb9f5e0b6db93edfe
- https://git.kernel.org/stable/c/aaa1c5d635a6fca2043513ffb5be169f9cd17d9e
- https://git.kernel.org/stable/c/ddb3f0b68863bd1c5f43177eea476bce316d4993