CVE-2022-48988

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> memcg: fix possible use-after-free in memcg_write_event_control()<br /> <br /> memcg_write_event_control() accesses the dentry-&gt;d_name of the specified<br /> control fd to route the write call. As a cgroup interface file can&amp;#39;t be<br /> renamed, it&amp;#39;s safe to access d_name as long as the specified file is a<br /> regular cgroup file. Also, as these cgroup interface files can&amp;#39;t be<br /> removed before the directory, it&amp;#39;s safe to access the parent too.<br /> <br /> Prior to 347c4a874710 ("memcg: remove cgroup_event-&gt;cft"), there was a<br /> call to __file_cft() which verified that the specified file is a regular<br /> cgroupfs file before further accesses. The cftype pointer returned from<br /> __file_cft() was no longer necessary and the commit inadvertently dropped<br /> the file type check with it allowing any file to slip through. With the<br /> invarients broken, the d_name and parent accesses can now race against<br /> renames and removals of arbitrary files and cause use-after-free&amp;#39;s.<br /> <br /> Fix the bug by resurrecting the file type check in __file_cft(). Now that<br /> cgroupfs is implemented through kernfs, checking the file operations needs<br /> to go through a layer of indirection. Instead, let&amp;#39;s check the superblock<br /> and dentry type.