ACK: [SRU][J/B][PATCH] CVE-2022-42703
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Fri Nov 11 12:18:30 UTC 2022
On Thu, Nov 10, 2022 at 03:17:29PM -0500, Yuxuan Luo wrote:
> [Impact]
> Double-reusing of leaf `anon_vma` results in incorrect merging because of
> `->degree` misinterpretation, leading to loss of child branches. This flaw
> could be exploited by attackers to dangle a VMA structure, leading to
> use-after-free.
>
> [Backport]
> The bug is reported as needed in Bionic and Jammy, pending(5.4.0-130.146)
> in Focal, and not-affected (5.19.0-18.18) in devel_linux. This patch can
> be backported to Bionic and Jammy cleanly without introducing other patches.
>
> [Testing]
> The discoverer of this CVE, Jann Horn, provided a proof of concept along with
> his report. This PoC has been tested on the patched Jammy kernel and shown
> that the two branches were not merged as opposed to them merging in the
> unpatched kernel. However, since the PoC relies on the flag `MADV_PAGEOUT`
> which is not introduced until 5.4.x, the Bionic kernel cannot be tested with
> this PoC.
>
> [Potential Regression]
> This patch should not have any potential regression since it does not alter
> essential logic and data structure but one condition statement.
>
> Jann Horn (1):
> mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
>
> Li Xinhai (1):
> mm: rmap: explicitly reset vma->anon_vma in unlink_anon_vmas()
>
> Wei Yang (1):
> mm/rmap.c: don't reuse anon_vma if we just want a copy
>
> include/linux/rmap.h | 7 ++++--
> mm/rmap.c | 60 ++++++++++++++++++++++++++++----------------
> 2 files changed, 43 insertions(+), 24 deletions(-)
>
> --
> 2.34.1
ACK for bionic as well (the other ACK was for Jammy).
Acked-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
More information about the kernel-team
mailing list