In the Linux kernel, the following vulnerability has been resolved:
mm/slab_common: fix possible double free of kmem_cache When doing
slub_debug test, kfence’s ‘test_memcache_typesafe_by_rcu’ kunit test case
cause a use-after-free error: BUG: KASAN: use-after-free in
kobject_del+0x14/0x30 Read of size 8 at addr ffff888007679090 by task
kunit_try_catch/261 CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G B N
6.0.0-rc5-next-20220916 #17 Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x34/0x48
print_address_description.constprop.0+0x87/0x2a5 print_report+0x103/0x1ed
kasan_report+0xb7/0x140 kobject_del+0x14/0x30
kmem_cache_destroy+0x130/0x170 test_exit+0x1a/0x30
kunit_try_run_case+0xad/0xc0 kunit_generic_run_threadfn_adapter+0x26/0x50
kthread+0x17b/0x1b0 </TASK> The cause is inside kmem_cache_destroy():
kmem_cache_destroy acquire lock/mutex shutdown_cache
schedule_work(kmem_cache_release) (if RCU flag set) release lock/mutex
kmem_cache_release (if RCU flag not set) In some certain timing, the
scheduled work could be run before the next RCU flag checking, which can
then get a wrong value and lead to double kmem_cache_release(). Fix it by
caching the RCU flag inside protected area, just like ‘refcnt’
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
git.kernel.org/linus/d71608a877362becdc94191f190902fac1e64d35 (6.0-rc7)
git.kernel.org/stable/c/c673c6ceac53fb2e631c9fbbd79957099a08927f
git.kernel.org/stable/c/d71608a877362becdc94191f190902fac1e64d35
launchpad.net/bugs/cve/CVE-2022-48649
nvd.nist.gov/vuln/detail/CVE-2022-48649
security-tracker.debian.org/tracker/CVE-2022-48649
www.cve.org/CVERecord?id=CVE-2022-48649