APPLIED[F]/Cmnt: [SRU][J/B][PATCH] CVE-2022-42703

Kleber Souza kleber.sacilotto.de.souza at canonical.com
Mon Nov 14 11:05:47 UTC 2022 

On 11.11.22 13:49, Thadeu Lima de Souza Cascardo wrote:
> On Fri, Nov 11, 2022 at 01:23:54PM +0100, Stefan Bader wrote:
>> On 10.11.22 21:17, Yuxuan Luo wrote:
>>> [Impact]
>>> Double-reusing of leaf `anon_vma` results in incorrect merging because of
>>> `->degree` misinterpretation, leading to loss of child branches. This flaw
>>> could be exploited by attackers to dangle a VMA structure, leading to
>>> use-after-free.
>>>
>>> [Backport]
>>> The bug is reported as needed in Bionic and Jammy, pending(5.4.0-130.146)
>>> in Focal, and not-affected (5.19.0-18.18) in devel_linux. This patch can
>>> be backported to Bionic and Jammy cleanly without introducing other patches.
>>>
>>> [Testing]
>>> The discoverer of this CVE, Jann Horn, provided a proof of concept along with
>>> his report. This PoC has been tested on the patched Jammy kernel and shown
>>> that the two branches were not merged as opposed to them merging in the
>>> unpatched kernel. However, since the PoC relies on the flag `MADV_PAGEOUT`
>>> which is not introduced until 5.4.x, the Bionic kernel cannot be tested with
>>> this PoC.
>>>
>>> [Potential Regression]
>>> This patch should not have any potential regression since it does not alter
>>> essential logic and data structure but one condition statement.
>>>
>>> Jann Horn (1):
>>>     mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
>>>
>>> Li Xinhai (1):
>>>     mm: rmap: explicitly reset vma->anon_vma in unlink_anon_vmas()
>>>
>>> Wei Yang (1):
>>>     mm/rmap.c: don't reuse anon_vma if we just want a copy
>>>
>>>    include/linux/rmap.h |  7 ++++--
>>>    mm/rmap.c            | 60 ++++++++++++++++++++++++++++----------------
>>>    2 files changed, 43 insertions(+), 24 deletions(-)
>>>
>>
>> For Jammy this is already applied for upstream stable v5.15.65. To Bionic
>> this does not apply (none of the 3).
>>
>> -Stefan
>>
> 
> For bionic, they apply on top of Ubuntu-4.15.0-197.208. As of now, commit
> 2555283eb40df89945557273121e9393ef9b542b has been applied to bionic, but
> without the other two. And I would rather leave that code as close to the
> upstream version than as it is right now. I am considering applying
> 47b390d23bf81894395c8773acf6f73c66465dc4 to focal too, as it is missing there.
> 
> Cascardo.
> 

With some small context adjustments, 47b390d23bf8 (patch 1/3) could be applied
to focal:linux as well.

Applied to focal:linux.

Thanks,
Kleber

More information about the kernel-team mailing list