Late-NACK/Cmnt: [SRU][J/B][PATCH] CVE-2022-42703

[Stefan Bader]

On 10.11.22 21:17, Yuxuan Luo wrote:
> [Impact]
> Double-reusing of leaf `anon_vma` results in incorrect merging because of
> `->degree` misinterpretation, leading to loss of child branches. This flaw
> could be exploited by attackers to dangle a VMA structure, leading to
> use-after-free.
> 
> [Backport]
> The bug is reported as needed in Bionic and Jammy, pending(5.4.0-130.146)
> in Focal, and not-affected (5.19.0-18.18) in devel_linux. This patch can
> be backported to Bionic and Jammy cleanly without introducing other patches.
> 
> [Testing]
> The discoverer of this CVE, Jann Horn, provided a proof of concept along with
> his report. This PoC has been tested on the patched Jammy kernel and shown
> that the two branches were not merged as opposed to them merging in the
> unpatched kernel. However, since the PoC relies on the flag `MADV_PAGEOUT`
> which is not introduced until 5.4.x, the Bionic kernel cannot be tested with
> this PoC.
> 
> [Potential Regression]
> This patch should not have any potential regression since it does not alter
> essential logic and data structure but one condition statement.
> 
> Jann Horn (1):
>    mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
> 
> Li Xinhai (1):
>    mm: rmap: explicitly reset vma->anon_vma in unlink_anon_vmas()
> 
> Wei Yang (1):
>    mm/rmap.c: don't reuse anon_vma if we just want a copy
> 
>   include/linux/rmap.h |  7 ++++--
>   mm/rmap.c            | 60 ++++++++++++++++++++++++++++----------------
>   2 files changed, 43 insertions(+), 24 deletions(-)
> 

For Jammy this is already applied for upstream stable v5.15.65. To Bionic this 
does not apply (none of the 3).

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20221111/911d8634/attachment.sig>