CVE-2022-48921

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-48921

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48921.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-48921

Related

Published

2024-08-22T02:15:08Z

Modified

2024-09-18T03:22:40.536673Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

sched/fair: Fix fault in reweight_entity

Syzbot found a GPF in reweightentity. This has been bisected to commit 4ef0c5c6b5ba ("kernel/sched: Fix schedfork() access an invalid schedtaskgroup")

There is a race between schedpostfork() and setpriority(PRIOPGRP) within a thread group that causes a null-ptr-deref in reweightentity() in CFS. The scenario is that the main process spawns number of new threads, which then call setpriority(PRIOPGRP, 0, -20), wait, and exit. For each of the new threads the copyprocess() gets invoked, which adds the new taskstruct and calls schedpost_fork() for it.

In the above scenario there is a possibility that setpriority(PRIOPGRP) and setoneprio() will be called for a thread in the group that is just being created by copyprocess(), and for which the schedpostfork() has not been executed yet. This will trigger a null pointer dereference in reweight_entity(), as it will try to access the run queue pointer, which hasn't been set.

Before the mentioned change the cfsrq pointer for the task has been set in schedfork(), which is called much earlier in copyprocess(), before the new task is added to the threadgroup. Now it is done in the schedpostfork(), which is called after that. To fix the issue the remove the updateload param from the updateload param() function and call reweighttask() only if the task flag doesn't have the TASKNEW flag set.

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.140-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.16.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.16.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}