CVE-2022-49511

listadd corruption. prev->next should be next (ffffffffc0ceb090), but was ffffec604507edc8. (prev=ffffec604507edc8). WARNING: CPU: 65 PID: 3959 at lib/listdebug.c:26 listaddvalid+0x53/0x80 CPU: 65 PID: 3959 Comm: fbdev Tainted: G U RIP: 0010:listaddvalid+0x53/0x80 Call Trace: <TASK> fbdeferrediomkwrite+0xea/0x150 dopagemkwrite+0x57/0xc0 dowppage+0x278/0x2f0 _handlemmfault+0xdc2/0x1590 handlemmfault+0xdd/0x2c0 douseraddrfault+0x1d3/0x650 excpagefault+0x77/0x180 ? asmexcpagefault+0x8/0x30 asmexcpage_fault+0x1e/0x30

RIP: 0033:0x7fd98fc8fad1

Figure out the race happens when one process is adding &page->lru into the pagelist tail in fbdeferrediomkwrite(), another process is re-initializing the same &page->lru in fbdeferrediofault(), which is not protected by the lock.

This fix is to init all the page lists one time during initialization, it not only fixes the list corruption, but also avoids INITLISTHEAD() redundantly.

V2: change "int i" to "unsigned int i" (Geert Uytterhoeven)

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5d3aff76a3165087b0f897c0d677dfa987d9875d

Fixed

e79b2b2aadeffe1db54a6b569b9b621575c3eb07

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

105a940416fc622406653b6fe54732897642dfbc

Fixed

6a9ae2fe887042f76fd3d334349e64e8ab3c55a2

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

105a940416fc622406653b6fe54732897642dfbc

Fixed

856082f021a28221db2c32bd0531614a8382be67

Affected versions

v5.*

v5.17

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.18.1

v5.18.2

Database specific

vanir_signatures

[
    {
        "id": "CVE-2022-49511-03123817",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e79b2b2aadeffe1db54a6b569b9b621575c3eb07",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "297590054080278793066828422254664651228",
                "118574717515334784268418279329786023948",
                "190388453815145846172686351339455189908",
                "16193582305435133738120689557033787417",
                "190819777742327348973320708704091894471",
                "299076341042009846847410439171540266757",
                "326033828871635023928459535161586397901",
                "205673123729332240470537523948027339420",
                "312590284188220869464303205160799031213",
                "50569096469864413210829367516597148046",
                "115128916536371159535451060397582526780",
                "62347048472570591304844063493048562641"
            ]
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/video/fbdev/core/fb_defio.c"
        }
    },
    {
        "id": "CVE-2022-49511-0ca0581c",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6a9ae2fe887042f76fd3d334349e64e8ab3c55a2",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "297590054080278793066828422254664651228",
                "118574717515334784268418279329786023948",
                "190388453815145846172686351339455189908",
                "16193582305435133738120689557033787417",
                "190819777742327348973320708704091894471",
                "299076341042009846847410439171540266757",
                "326033828871635023928459535161586397901",
                "205673123729332240470537523948027339420",
                "312590284188220869464303205160799031213",
                "50569096469864413210829367516597148046",
                "115128916536371159535451060397582526780",
                "62347048472570591304844063493048562641"
            ]
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/video/fbdev/core/fb_defio.c"
        }
    },
    {
        "id": "CVE-2022-49511-1ecf0fdf",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@856082f021a28221db2c32bd0531614a8382be67",
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "297590054080278793066828422254664651228",
                "118574717515334784268418279329786023948",
                "190388453815145846172686351339455189908",
                "16193582305435133738120689557033787417",
                "190819777742327348973320708704091894471",
                "299076341042009846847410439171540266757",
                "326033828871635023928459535161586397901",
                "205673123729332240470537523948027339420",
                "312590284188220869464303205160799031213",
                "50569096469864413210829367516597148046",
                "115128916536371159535451060397582526780",
                "62347048472570591304844063493048562641"
            ]
        },
        "signature_type": "Line",
        "target": {
            "file": "drivers/video/fbdev/core/fb_defio.c"
        }
    },
    {
        "id": "CVE-2022-49511-3c45abf3",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e79b2b2aadeffe1db54a6b569b9b621575c3eb07",
        "signature_version": "v1",
        "digest": {
            "length": 255.0,
            "function_hash": "96986797482165603014187956447474038641"
        },
        "signature_type": "Function",
        "target": {
            "function": "fb_deferred_io_init",
            "file": "drivers/video/fbdev/core/fb_defio.c"
        }
    },
    {
        "id": "CVE-2022-49511-671af238",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6a9ae2fe887042f76fd3d334349e64e8ab3c55a2",
        "signature_version": "v1",
        "digest": {
            "length": 575.0,
            "function_hash": "187722377382758529598556925009390064911"
        },
        "signature_type": "Function",
        "target": {
            "function": "fb_deferred_io_fault",
            "file": "drivers/video/fbdev/core/fb_defio.c"
        }
    },
    {
        "id": "CVE-2022-49511-c2c43b63",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@856082f021a28221db2c32bd0531614a8382be67",
        "signature_version": "v1",
        "digest": {
            "length": 255.0,
            "function_hash": "96986797482165603014187956447474038641"
        },
        "signature_type": "Function",
        "target": {
            "function": "fb_deferred_io_init",
            "file": "drivers/video/fbdev/core/fb_defio.c"
        }
    },
    {
        "id": "CVE-2022-49511-d180a591",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6a9ae2fe887042f76fd3d334349e64e8ab3c55a2",
        "signature_version": "v1",
        "digest": {
            "length": 255.0,
            "function_hash": "96986797482165603014187956447474038641"
        },
        "signature_type": "Function",
        "target": {
            "function": "fb_deferred_io_init",
            "file": "drivers/video/fbdev/core/fb_defio.c"
        }
    },
    {
        "id": "CVE-2022-49511-e3b8d24e",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@856082f021a28221db2c32bd0531614a8382be67",
        "signature_version": "v1",
        "digest": {
            "length": 575.0,
            "function_hash": "187722377382758529598556925009390064911"
        },
        "signature_type": "Function",
        "target": {
            "function": "fb_deferred_io_fault",
            "file": "drivers/video/fbdev/core/fb_defio.c"
        }
    },
    {
        "id": "CVE-2022-49511-f9922cdf",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e79b2b2aadeffe1db54a6b569b9b621575c3eb07",
        "signature_version": "v1",
        "digest": {
            "length": 575.0,
            "function_hash": "187722377382758529598556925009390064911"
        },
        "signature_type": "Function",
        "target": {
            "function": "fb_deferred_io_fault",
            "file": "drivers/video/fbdev/core/fb_defio.c"
        }
    }
]

CVE-2022-49511

Easily hit the below list corruption:

RIP: 0033:0x7fd98fc8fad1

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Affected versions

v5.*

Database specific

vanir_signatures

Linux / Kernel

Package

Affected ranges