APPLIED[B]/cmnt: [SRU][J/B][PATCH] CVE-2022-42703

Mon Nov 14 10:32:18 UTC 2022

On 11.11.22 13:49, Thadeu Lima de Souza Cascardo wrote:
> On Fri, Nov 11, 2022 at 01:23:54PM +0100, Stefan Bader wrote:
>> On 10.11.22 21:17, Yuxuan Luo wrote:
>>> [Impact]
>>> Double-reusing of leaf `anon_vma` results in incorrect merging because of
>>> `->degree` misinterpretation, leading to loss of child branches. This flaw
>>> could be exploited by attackers to dangle a VMA structure, leading to
>>> use-after-free.
>>>
>>> [Backport]
>>> The bug is reported as needed in Bionic and Jammy, pending(5.4.0-130.146)
>>> in Focal, and not-affected (5.19.0-18.18) in devel_linux. This patch can
>>> be backported to Bionic and Jammy cleanly without introducing other patches.
>>>
>>> [Testing]
>>> The discoverer of this CVE, Jann Horn, provided a proof of concept along with
>>> his report. This PoC has been tested on the patched Jammy kernel and shown
>>> that the two branches were not merged as opposed to them merging in the
>>> unpatched kernel. However, since the PoC relies on the flag `MADV_PAGEOUT`
>>> which is not introduced until 5.4.x, the Bionic kernel cannot be tested with
>>> this PoC.
>>>
>>> [Potential Regression]
>>> This patch should not have any potential regression since it does not alter
>>> essential logic and data structure but one condition statement.
>>>
>>> Jann Horn (1):
>>>     mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
>>>
>>> Li Xinhai (1):
>>>     mm: rmap: explicitly reset vma->anon_vma in unlink_anon_vmas()
>>>
>>> Wei Yang (1):
>>>     mm/rmap.c: don't reuse anon_vma if we just want a copy
>>>
>>>    include/linux/rmap.h |  7 ++++--
>>>    mm/rmap.c            | 60 ++++++++++++++++++++++++++++----------------
>>>    2 files changed, 43 insertions(+), 24 deletions(-)
>>>
>>
>> For Jammy this is already applied for upstream stable v5.15.65. To Bionic
>> this does not apply (none of the 3).
>>
>> -Stefan
>>
> 
> For bionic, they apply on top of Ubuntu-4.15.0-197.208. As of now, commit
> 2555283eb40df89945557273121e9393ef9b542b has been applied to bionic, but
> without the other two. And I would rather leave that code as close to the
> upstream version than as it is right now. I am considering applying
> 47b390d23bf81894395c8773acf6f73c66465dc4 to focal too, as it is missing there.
> 
> Cascardo.
> 

I have figured out why this patchset didn't apply anymore to bionic/linux. The
third patch of the series "2555283eb40d mm/rmap: Fix anon_vma->degree ambiguity
leading to double-reuse" was applied via upstream-stable but was backported to
include some additional changes because of the different context in
anon_vma_clone(), which ended up being the same code as after applying this
patchset. However, the other two patches of the series couldn't be applied anymore.
So I have decided to remove the patch applied via upstream stable and apply the
patches from this patchset so to keep the same order of the fixes as in upstream.

Applied to bionic:linux.

Thanks,
Kleber