CVE-2022-50661

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> seccomp: Move copy_seccomp() to no failure path.<br /> <br /> Our syzbot instance reported memory leaks in do_seccomp() [0], similar<br /> to the report [1]. It shows that we miss freeing struct seccomp_filter<br /> and some objects included in it.<br /> <br /> We can reproduce the issue with the program below [2] which calls one<br /> seccomp() and two clone() syscalls.<br /> <br /> The first clone()d child exits earlier than its parent and sends a<br /> signal to kill it during the second clone(), more precisely before the<br /> fatal_signal_pending() test in copy_process(). When the parent receives<br /> the signal, it has to destroy the embryonic process and return -EINTR to<br /> user space. In the failure path, we have to call seccomp_filter_release()<br /> to decrement the filter&amp;#39;s refcount.<br /> <br /> Initially, we called it in free_task() called from the failure path, but<br /> the commit 3a15fb6ed92c ("seccomp: release filter after task is fully<br /> dead") moved it to release_task() to notify user space as early as possible<br /> that the filter is no longer used.<br /> <br /> To keep the change and current seccomp refcount semantics, let&amp;#39;s move<br /> copy_seccomp() just after the signal check and add a WARN_ON_ONCE() in<br /> free_task() for future debugging.<br /> <br /> [0]:<br /> unreferenced object 0xffff8880063add00 (size 256):<br /> comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.914s)<br /> hex dump (first 32 bytes):<br /> 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................<br /> ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................<br /> backtrace:<br /> do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)<br /> do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)<br /> unreferenced object 0xffffc90000035000 (size 4096):<br /> comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)<br /> hex dump (first 32 bytes):<br /> 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> __vmalloc_node_range (mm/vmalloc.c:3226)<br /> __vmalloc_node (mm/vmalloc.c:3261 (discriminator 4))<br /> bpf_prog_alloc_no_stats (kernel/bpf/core.c:91)<br /> bpf_prog_alloc (kernel/bpf/core.c:129)<br /> bpf_prog_create_from_user (net/core/filter.c:1414)<br /> do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)<br /> do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)<br /> unreferenced object 0xffff888003fa1000 (size 1024):<br /> comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)<br /> hex dump (first 32 bytes):<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95)<br /> bpf_prog_alloc (kernel/bpf/core.c:129)<br /> bpf_prog_create_from_user (net/core/filter.c:1414)<br /> do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)<br /> do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)<br /> unreferenced object 0xffff888006360240 (size 16):<br /> comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s)<br /> hex dump (first 16 bytes):<br /> 01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff ..7.verl........<br /> backtrace:<br /> bpf_prog_store_orig_filter (net/core/filter.c:1137)<br /> bpf_prog_create_from_user (net/core/filter.c:1428)<br /> do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)<br /> do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)<br /> unreferenced object 0xffff888<br /> ---truncated---