{"timestamp":"2024-09-10T16:04:18.997658Z","id":"CVE-2022-48892","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["kernel/sched/core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"07ec77a1d4e82526e1588979fff2f024f8e96df2","lessThan":"b22faa21b6230d5eccd233e1b7e0026a5002b287","versionType":"git","status":"affected"},{"version":"07ec77a1d4e82526e1588979fff2f024f8e96df2","lessThan":"7b5cc7fd1789ea5dbb942c9f8207b076d365badc","versionType":"git","status":"affected"},{"version":"07ec77a1d4e82526e1588979fff2f024f8e96df2","lessThan":"87ca4f9efbd7cc649ff43b87970888f2812945b8","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["kernel/sched/core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","versionType":"semver","status":"unaffected"},{"version":"5.15.89","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.7","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.2","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

NIST CWE-415

NIST CWE-416

OR
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.15 up to (excluding) 5.15.89
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.7

https://git.kernel.org/stable/c/7b5cc7fd1789ea5dbb942c9f8207b076d365badc No Types Assigned

https://git.kernel.org/stable/c/7b5cc7fd1789ea5dbb942c9f8207b076d365badc Patch

https://git.kernel.org/stable/c/87ca4f9efbd7cc649ff43b87970888f2812945b8 No Types Assigned

https://git.kernel.org/stable/c/87ca4f9efbd7cc649ff43b87970888f2812945b8 Patch

https://git.kernel.org/stable/c/b22faa21b6230d5eccd233e1b7e0026a5002b287 No Types Assigned

https://git.kernel.org/stable/c/b22faa21b6230d5eccd233e1b7e0026a5002b287 Patch

In the Linux kernel, the following vulnerability has been resolved:

sched/core: Fix use-after-free bug in dup_user_cpus_ptr()

Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be
restricted on asymmetric systems"), the setting and clearing of
user_cpus_ptr are done under pi_lock for arm64 architecture. However,
dup_user_cpus_ptr() accesses user_cpus_ptr without any lock
protection. Since sched_setaffinity() can be invoked from another
process, the process being modified may be undergoing fork() at
the same time.  When racing with the clearing of user_cpus_ptr in
__set_cpus_allowed_ptr_locked(), it can lead to user-after-free and
possibly double-free in arm64 kernel.

Commit 8f9ea86fdf99 ("sched: Always preserve the user requested
cpumask") fixes this problem as user_cpus_ptr, once set, will never
be cleared in a task's lifetime. However, this bug was re-introduced
in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in
do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in
do_set_cpus_allowed(). This time, it will affect all arches.

Fix this bug by always clearing the user_cpus_ptr of the newly
cloned/forked task before the copying process starts and check the
user_cpus_ptr state of the source task under pi_lock.

Note to stable, this patch won't be applicable to stable releases.
Just copy the new dup_user_cpus_ptr() function over.

kernel.org https://git.kernel.org/stable/c/7b5cc7fd1789ea5dbb942c9f8207b076d365badc [No types assigned]

kernel.org https://git.kernel.org/stable/c/87ca4f9efbd7cc649ff43b87970888f2812945b8 [No types assigned]

kernel.org https://git.kernel.org/stable/c/b22faa21b6230d5eccd233e1b7e0026a5002b287 [No types assigned]