Lucene search

LinuxCVE-2022-48931

HistoryAug 22, 2024 - 4:15 a.m.

CVE-2022-48931

2024-08-2204:15:16

CWE-362

Linux

web.nvd.nist.gov

linux kernel

configfs

vulnerability

fix

race condition

link_group

unlink_group

mutex

CVSS3

4.7

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.8

Confidence

High

EPSS

Percentile

5.0%

JSON

In the Linux kernel, the following vulnerability has been resolved:

configfs: fix a race in configfs_{,un}register_subsystem()

When configfs_register_subsystem() or configfs_unregister_subsystem()
is executing link_group() or unlink_group(),
it is possible that two processes add or delete list concurrently.
Some unfortunate interleavings of them can cause kernel panic.

One of cases is:
A –> B –> C –> D
A <– B <– C <– D

 delete list_head *B        |      delete list_head *C

--------------------------------|-----------------------------------
configfs_unregister_subsystem | configfs_unregister_subsystem
unlink_group | unlink_group
unlink_obj | unlink_obj
list_del_init | list_del_init
__list_del_entry | __list_del_entry
__list_del | __list_del
// next == C |
next->prev = prev |
| next->prev = prev
prev->next = next |
| // prev == B
| prev->next = next

Fix this by adding mutex when calling link_group() or unlink_group(),
but parent configfs_subsystem is NULL when config_item is root.
So I create a mutex configfs_subsystem_mutex.

Affected configurations

Nvd

Vulners

Node

linuxlinux_kernelRange2.6.16–4.9.304

linuxlinux_kernelRange4.10–4.14.269

linuxlinux_kernelRange4.15–4.19.232

linuxlinux_kernelRange4.20–5.4.182

linuxlinux_kernelRange5.5–5.10.103

linuxlinux_kernelRange5.11–5.15.26

linuxlinux_kernelRange5.16–5.16.12

VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linux	linux_kernel	*	cpe:2.3:o:linux:linux_kernel::::::::

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/configfs/dir.c"
    ],
    "versions": [
      {
        "version": "7063fbf22611",
        "lessThan": "40805099af11",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "7063fbf22611",
        "lessThan": "d1654de19d42",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "7063fbf22611",
        "lessThan": "a37024f7757c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "7063fbf22611",
        "lessThan": "b7e2b91fcb5c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "7063fbf22611",
        "lessThan": "a7ab53d3c27d",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "7063fbf22611",
        "lessThan": "e7a66dd26877",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "7063fbf22611",
        "lessThan": "3aadfd46858b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "7063fbf22611",
        "lessThan": "84ec758fb2da",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/configfs/dir.c"
    ],
    "versions": [
      {
        "version": "2.6.16",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "2.6.16",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.9.304",
        "lessThanOrEqual": "4.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.14.269",
        "lessThanOrEqual": "4.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.232",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.182",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.103",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.26",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.16.12",
        "lessThanOrEqual": "5.16.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.17",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]