CVE-2022-49647

{"id": "CVE-2022-49647", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:39.863", "references": [{"url": "https://git.kernel.org/stable/c/05f7658210d1d331e8dd4cb6e7bbbe3df5f5ac27", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/07fd5b6cdf3cc30bfde8fe0f644771688be04447", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0e41774b564befa6d271e8d5086bf870d617a4e6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/54aee4e5ce8c21555286a6333e46c1713880cf93", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7657e3958535d101a24ab4400f9b8062b9107cc4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ad44e05f3e016bdcb1ad25af35ade5b5f41ccd68", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cec2bbdcc14fbaa6b95ee15a7c423b05d97038be", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: Use separate src/dst nodes when preloading css_sets for migration\n\nEach cset (css_set) is pinned by its tasks. When we're moving tasks around\nacross csets for a migration, we need to hold the source and destination\ncsets to ensure that they don't go away while we're moving tasks about. This\nis done by linking cset->mg_preload_node on either the\nmgctx->preloaded_src_csets or mgctx->preloaded_dst_csets list. Using the\nsame cset->mg_preload_node for both the src and dst lists was deemed okay as\na cset can't be both the source and destination at the same time.\n\nUnfortunately, this overloading becomes problematic when multiple tasks are\ninvolved in a migration and some of them are identity noop migrations while\nothers are actually moving across cgroups. For example, this can happen with\nthe following sequence on cgroup1:\n\n #1> mkdir -p /sys/fs/cgroup/misc/a/b\n #2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs\n #3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS &\n #4> PID=$!\n #5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks\n #6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs\n\nthe process including the group leader back into a. In this final migration,\nnon-leader threads would be doing identity migration while the group leader\nis doing an actual one.\n\nAfter #3, let's say the whole process was in cset A, and that after #4, the\nleader moves to cset B. Then, during #6, the following happens:\n\n 1. cgroup_migrate_add_src() is called on B for the leader.\n\n 2. cgroup_migrate_add_src() is called on A for the other threads.\n\n 3. cgroup_migrate_prepare_dst() is called. It scans the src list.\n\n 4. It notices that B wants to migrate to A, so it tries to A to the dst\n list but realizes that its ->mg_preload_node is already busy.\n\n 5. and then it notices A wants to migrate to A as it's an identity\n migration, it culls it by list_del_init()'ing its ->mg_preload_node and\n putting references accordingly.\n\n 6. The rest of migration takes place with B on the src list but nothing on\n the dst list.\n\nThis means that A isn't held while migration is in progress. If all tasks\nleave A before the migration finishes and the incoming task pins it, the\ncset will be destroyed leading to use-after-free.\n\nThis is caused by overloading cset->mg_preload_node for both src and dst\npreload lists. We wanted to exclude the cset from the src list but ended up\ninadvertently excluding it from the dst list too.\n\nThis patch fixes the issue by separating out cset->mg_preload_node into\n->mg_src_preload_node and ->mg_dst_preload_node, so that the src and dst\npreloadings don't interfere with each other."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cgroup: usar nodos src/dst separados al precargar css_sets para la migraci\u00f3n Cada cset (css_set) est\u00e1 fijado por sus tareas. Cuando estamos moviendo tareas entre csets para una migraci\u00f3n, necesitamos mantener los csets de origen y destino para asegurarnos de que no desaparezcan mientras movemos tareas. Esto se hace vinculando cset->mg_preload_node en la lista mgctx->preloaded_src_csets o mgctx->preloaded_dst_csets. Se consider\u00f3 correcto usar el mismo cset->mg_preload_node para las listas src y dst, ya que un cset no puede ser el origen y el destino al mismo tiempo. Desafortunadamente, esta sobrecarga se vuelve problem\u00e1tica cuando hay varias tareas involucradas en una migraci\u00f3n y algunas de ellas son migraciones de noop de identidad mientras que otras en realidad se est\u00e1n moviendo entre cgroup1: #1> mkdir -p /sys/fs/cgroup/misc/a/b #2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs #3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS & #4> PID=$! #5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks #6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs el proceso que incluye al l\u00edder del grupo de nuevo en a. En esta migraci\u00f3n final, los subprocesos que no son l\u00edderes estar\u00edan realizando la migraci\u00f3n de identidad mientras que el l\u00edder del grupo est\u00e1 realizando una real. Despu\u00e9s del n.\u00b0 3, digamos que todo el proceso estaba en cset A, y que despu\u00e9s del n.\u00b0 4, el l\u00edder se mueve al cset B. Luego, durante el n.\u00b0 6, sucede lo siguiente: 1. se llama a cgroup_migrate_add_src() en B para el l\u00edder. 2. se llama a cgroup_migrate_add_src() en A para los otros subprocesos. 3. se llama a cgroup_migrate_prepare_dst(). Escanea la lista src. 4. Se da cuenta de que B quiere migrar a A, por lo que intenta llevar A a la lista dst pero se da cuenta de que su ->mg_preload_node ya est\u00e1 ocupado. 5. y luego se da cuenta de que A quiere migrar a A como es una migraci\u00f3n de identidad, lo descarta haciendo list_del_init()'ing su ->mg_preload_node y poniendo referencias en consecuencia. 6. El resto de la migraci\u00f3n se lleva a cabo con B en la lista src pero nada en la lista dst. Esto significa que A no se mantiene mientras la migraci\u00f3n est\u00e1 en progreso. Si todas las tareas abandonan A antes de que finalice la migraci\u00f3n y la tarea entrante lo fija, el cset se destruir\u00e1, lo que provocar\u00e1 un use-after-free. Esto se debe a la sobrecarga de cset->mg_preload_node para las listas de precarga de src y dst. Quer\u00edamos excluir el cset de la lista de src, pero terminamos excluy\u00e9ndolo inadvertidamente tambi\u00e9n de la lista de dst. Este parche soluciona el problema al separar cset->mg_preload_node en ->mg_src_preload_node y ->mg_dst_preload_node, de modo que las precargas de src y dst no interfieran entre s\u00ed."}], "lastModified": "2025-03-24T19:00:58.960", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C715C58E-FE6D-4E8A-B3B3-91BEE32F1721", "versionEndExcluding": "4.14.289", "versionStartIncluding": "3.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B22ACD7-9025-4AD5-AD6E-A929DEC79B75", "versionEndExcluding": "4.19.253", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C27A52F3-82C8-4F03-BE80-38D11CDBD503", "versionEndExcluding": "5.4.207", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46CE9FE9-22E3-45CA-8B5F-190C2CAFC5CE", "versionEndExcluding": "5.10.132", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AF59CE2F-BA66-4BFD-83AB-4576F3D1B49A", "versionEndExcluding": "5.15.56", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "640221A7-96EE-4B48-8FE1-BA810131789B", "versionEndExcluding": "5.18.13", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A8C30C2D-F82D-4D37-AB48-D76ABFBD5377"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF8547FC-C849-4F1B-804B-A93AE2F04A92"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3068028-F453-4A1C-B80F-3F5609ACEF60"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E9C0DB0-D349-489F-A3D6-B77214E93A8A"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A0DE3B7-0FFB-45AA-9BD6-19870CA7C6FD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "00AE778B-BAEE-49EB-9F84-003B73D7862A"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}