CVE-2022-49567

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49567
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49567.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49567
Downstream
Published
2025-02-26T02:23:12.222Z
Modified
2025-12-23T20:48:38.122183Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
mm/mempolicy: fix uninit-value in mpol_rebind_policy()
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/mempolicy: fix uninit-value in mpolrebindpolicy()

mpolsetnodemask()(mm/mempolicy.c) does not set up nodemask when pol->mode is MPOLLOCAL. Check pol->mode before access pol->w.cpusetmemsallowed in mpolrebind_policy()(mm/mempolicy.c).

BUG: KMSAN: uninit-value in mpolrebindpolicy mm/mempolicy.c:352 [inline] BUG: KMSAN: uninit-value in mpolrebindtask+0x2ac/0x2c0 mm/mempolicy.c:368 mpolrebindpolicy mm/mempolicy.c:352 [inline] mpolrebindtask+0x2ac/0x2c0 mm/mempolicy.c:368 cpusetchangetasknodemask kernel/cgroup/cpuset.c:1711 [inline] cpusetattach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278 cgroupmigrateexecute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515 cgroupmigrate kernel/cgroup/cgroup.c:2771 [inline] cgroupattachtask+0x540/0x8b0 kernel/cgroup/cgroup.c:2804 _cgroup1procswrite+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520 cgroup1taskswrite+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539 cgroupfilewrite+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852 kernfsfopwriteiter+0x66a/0x9f0 fs/kernfs/file.c:296 callwriteiter include/linux/fs.h:2162 [inline] newsyncwrite fs/readwrite.c:503 [inline] vfswrite+0x1318/0x2030 fs/readwrite.c:590 ksyswrite+0x28b/0x510 fs/readwrite.c:643 _dosyswrite fs/readwrite.c:655 [inline] _sesyswrite fs/readwrite.c:652 [inline] _x64syswrite+0xdb/0x120 fs/readwrite.c:652 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x54/0xd0 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x44/0xae

Uninit was created at: slabpostallochook mm/slab.h:524 [inline] slaballocnode mm/slub.c:3251 [inline] slaballoc mm/slub.c:3259 [inline] kmemcachealloc+0x902/0x11c0 mm/slub.c:3264 mpolnew mm/mempolicy.c:293 [inline] dosetmempolicy+0x421/0xb70 mm/mempolicy.c:853 kernelsetmempolicy mm/mempolicy.c:1504 [inline] _dosyssetmempolicy mm/mempolicy.c:1510 [inline] _sesyssetmempolicy+0x44c/0xb60 mm/mempolicy.c:1507 _x64syssetmempolicy+0xd8/0x110 mm/mempolicy.c:1507 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x54/0xd0 arch/x86/entry/common.c:82 entrySYSCALL64after_hwframe+0x44/0xae

KMSAN: uninit-value in mpolrebindtask (2) https://syzkaller.appspot.com/bug?id=d6eb90f952c2a5de9ea718a1b873c55cb13b59dc

This patch seems to fix below bug too. KMSAN: uninit-value in mpolrebindmm (2) https://syzkaller.appspot.com/bug?id=f2fecd0d7013f54ec4162f60743a2b28df40926b

The uninit-value is pol->w.cpusetmemsallowed in mpolrebindpolicy(). When syzkaller reproducer runs to the beginning of mpol_new(),

    mpol_new() mm/mempolicy.c
  do_mbind() mm/mempolicy.c
kernel_mbind() mm/mempolicy.c

mode is 1(MPOLPREFERRED), nodesempty(*nodes) is true and flags is 0. Then

mode = MPOL_LOCAL;
...
policy->mode = mode;
policy->flags = flags;

will be executed. So in mpolsetnodemask(),

    mpol_set_nodemask() mm/mempolicy.c
  do_mbind()
kernel_mbind()

pol->mode is 4 (MPOLLOCAL), that nodemask in pol is not initialized, which will be accessed in mpolrebind_policy().

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49567.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7858d7bca7fbbbbd5b940d2ec371b2d060b21b84
Fixed
8c5429a04ccd8dbcc3c753dab2f4126774ec28d4
Fixed
777e563f10e91e91130fe06bee85220d508e7b9b
Fixed
018160ad314d75b1409129b2247b614a9f35894c

Affected versions

v5.*

v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.18.1
v5.18.10
v5.18.11
v5.18.12
v5.18.13
v5.18.14
v5.18.2
v5.18.3
v5.18.4
v5.18.5
v5.18.6
v5.18.7
v5.18.8
v5.18.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49567.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.14.0
Fixed
5.15.58
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.18.15

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49567.json"