CVE-2022-48921

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48921
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48921.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48921
Related
Published
2024-08-22T02:15:08Z
Modified
2024-09-18T03:22:40.536673Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

sched/fair: Fix fault in reweight_entity

Syzbot found a GPF in reweightentity. This has been bisected to commit 4ef0c5c6b5ba ("kernel/sched: Fix schedfork() access an invalid schedtaskgroup")

There is a race between schedpostfork() and setpriority(PRIOPGRP) within a thread group that causes a null-ptr-deref in reweightentity() in CFS. The scenario is that the main process spawns number of new threads, which then call setpriority(PRIOPGRP, 0, -20), wait, and exit. For each of the new threads the copyprocess() gets invoked, which adds the new taskstruct and calls schedpost_fork() for it.

In the above scenario there is a possibility that setpriority(PRIOPGRP) and setoneprio() will be called for a thread in the group that is just being created by copyprocess(), and for which the schedpostfork() has not been executed yet. This will trigger a null pointer dereference in reweight_entity(), as it will try to access the run queue pointer, which hasn't been set.

Before the mentioned change the cfsrq pointer for the task has been set in schedfork(), which is called much earlier in copyprocess(), before the new task is added to the threadgroup. Now it is done in the schedpostfork(), which is called after that. To fix the issue the remove the updateload param from the updateload param() function and call reweighttask() only if the task flag doesn't have the TASKNEW flag set.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.140-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}