CVE-2022-50323

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: do not sense pfmemalloc status in skb_append_pagefrags()<br /> <br /> skb_append_pagefrags() is used by af_unix and udp sendpage()<br /> implementation so far.<br /> <br /> In commit 326140063946 ("tcp: TX zerocopy should not sense<br /> pfmemalloc status") we explained why we should not sense<br /> pfmemalloc status for pages owned by user space.<br /> <br /> We should also use skb_fill_page_desc_noacc()<br /> in skb_append_pagefrags() to avoid following KCSAN report:<br /> <br /> BUG: KCSAN: data-race in lru_add_fn / skb_append_pagefrags<br /> <br /> write to 0xffffea00058fc1c8 of 8 bytes by task 17319 on cpu 0:<br /> __list_add include/linux/list.h:73 [inline]<br /> list_add include/linux/list.h:88 [inline]<br /> lruvec_add_folio include/linux/mm_inline.h:323 [inline]<br /> lru_add_fn+0x327/0x410 mm/swap.c:228<br /> folio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246<br /> lru_add_drain_cpu+0x73/0x250 mm/swap.c:669<br /> lru_add_drain+0x21/0x60 mm/swap.c:773<br /> free_pages_and_swap_cache+0x16/0x70 mm/swap_state.c:311<br /> tlb_batch_pages_flush mm/mmu_gather.c:59 [inline]<br /> tlb_flush_mmu_free mm/mmu_gather.c:256 [inline]<br /> tlb_flush_mmu+0x5b2/0x640 mm/mmu_gather.c:263<br /> tlb_finish_mmu+0x86/0x100 mm/mmu_gather.c:363<br /> exit_mmap+0x190/0x4d0 mm/mmap.c:3098<br /> __mmput+0x27/0x1b0 kernel/fork.c:1185<br /> mmput+0x3d/0x50 kernel/fork.c:1207<br /> copy_process+0x19fc/0x2100 kernel/fork.c:2518<br /> kernel_clone+0x166/0x550 kernel/fork.c:2671<br /> __do_sys_clone kernel/fork.c:2812 [inline]<br /> __se_sys_clone kernel/fork.c:2796 [inline]<br /> __x64_sys_clone+0xc3/0xf0 kernel/fork.c:2796<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> read to 0xffffea00058fc1c8 of 8 bytes by task 17325 on cpu 1:<br /> page_is_pfmemalloc include/linux/mm.h:1817 [inline]<br /> __skb_fill_page_desc include/linux/skbuff.h:2432 [inline]<br /> skb_fill_page_desc include/linux/skbuff.h:2453 [inline]<br /> skb_append_pagefrags+0x210/0x600 net/core/skbuff.c:3974<br /> unix_stream_sendpage+0x45e/0x990 net/unix/af_unix.c:2338<br /> kernel_sendpage+0x184/0x300 net/socket.c:3561<br /> sock_sendpage+0x5a/0x70 net/socket.c:1054<br /> pipe_to_sendpage+0x128/0x160 fs/splice.c:361<br /> splice_from_pipe_feed fs/splice.c:415 [inline]<br /> __splice_from_pipe+0x222/0x4d0 fs/splice.c:559<br /> splice_from_pipe fs/splice.c:594 [inline]<br /> generic_splice_sendpage+0x89/0xc0 fs/splice.c:743<br /> do_splice_from fs/splice.c:764 [inline]<br /> direct_splice_actor+0x80/0xa0 fs/splice.c:931<br /> splice_direct_to_actor+0x305/0x620 fs/splice.c:886<br /> do_splice_direct+0xfb/0x180 fs/splice.c:974<br /> do_sendfile+0x3bf/0x910 fs/read_write.c:1255<br /> __do_sys_sendfile64 fs/read_write.c:1323 [inline]<br /> __se_sys_sendfile64 fs/read_write.c:1309 [inline]<br /> __x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1309<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> value changed: 0x0000000000000000 -&gt; 0xffffea00058fc188<br /> <br /> Reported by Kernel Concurrency Sanitizer on:<br /> CPU: 1 PID: 17325 Comm: syz-executor.0 Not tainted 6.1.0-rc1-syzkaller-00158-g440b7895c990-dirty #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022