CVE-2022-49990

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390: fix double free of GS and RI CBs on fork() failure<br /> <br /> The pointers for guarded storage and runtime instrumentation control<br /> blocks are stored in the thread_struct of the associated task. These<br /> pointers are initially copied on fork() via arch_dup_task_struct()<br /> and then cleared via copy_thread() before fork() returns. If fork()<br /> happens to fail after the initial task dup and before copy_thread(),<br /> the newly allocated task and associated thread_struct memory are<br /> freed via free_task() -&gt; arch_release_task_struct(). This results in<br /> a double free of the guarded storage and runtime info structs<br /> because the fields in the failed task still refer to memory<br /> associated with the source task.<br /> <br /> This problem can manifest as a BUG_ON() in set_freepointer() (with<br /> CONFIG_SLAB_FREELIST_HARDENED enabled) or KASAN splat (if enabled)<br /> when running trinity syscall fuzz tests on s390x. To avoid this<br /> problem, clear the associated pointer fields in<br /> arch_dup_task_struct() immediately after the new task is copied.<br /> Note that the RI flag is still cleared in copy_thread() because it<br /> resides in thread stack memory and that is where stack info is<br /> copied.