[SRU][J/B][PATCH] CVE-2022-42703
Yuxuan Luo
yuxuan.luo at canonical.com
Thu Nov 10 20:17:29 UTC 2022
[Impact]
Double-reusing of leaf `anon_vma` results in incorrect merging because of
`->degree` misinterpretation, leading to loss of child branches. This flaw
could be exploited by attackers to dangle a VMA structure, leading to
use-after-free.
[Backport]
The bug is reported as needed in Bionic and Jammy, pending(5.4.0-130.146)
in Focal, and not-affected (5.19.0-18.18) in devel_linux. This patch can
be backported to Bionic and Jammy cleanly without introducing other patches.
[Testing]
The discoverer of this CVE, Jann Horn, provided a proof of concept along with
his report. This PoC has been tested on the patched Jammy kernel and shown
that the two branches were not merged as opposed to them merging in the
unpatched kernel. However, since the PoC relies on the flag `MADV_PAGEOUT`
which is not introduced until 5.4.x, the Bionic kernel cannot be tested with
this PoC.
[Potential Regression]
This patch should not have any potential regression since it does not alter
essential logic and data structure but one condition statement.
Jann Horn (1):
mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
Li Xinhai (1):
mm: rmap: explicitly reset vma->anon_vma in unlink_anon_vmas()
Wei Yang (1):
mm/rmap.c: don't reuse anon_vma if we just want a copy
include/linux/rmap.h | 7 ++++--
mm/rmap.c | 60 ++++++++++++++++++++++++++++----------------
2 files changed, 43 insertions(+), 24 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list