CVE-2022-48931

In the Linux kernel, the following vulnerability has been resolved: configfs: fix a race in configfs_{,un}register_subsystem() When configfs_register_subsystem() or configfs_unregister_subsystem() is executing link_group() or unlink_group(), it is possible that two processes add or delete list concurrently. Some unfortunate interleavings of them can cause kernel panic. One of cases is: A --> B --> C --> D A <-- B <-- C <-- D delete list_head *B | delete list_head *C --------------------------------|----------------------------------- configfs_unregister_subsystem | configfs_unregister_subsystem unlink_group | unlink_group unlink_obj | unlink_obj list_del_init | list_del_init __list_del_entry | __list_del_entry __list_del | __list_del // next == C | next->prev = prev | | next->prev = prev prev->next = next | | // prev == B | prev->next = next Fix this by adding mutex when calling link_group() or unlink_group(), but parent configfs_subsystem is NULL when config_item is root. So I create a mutex configfs_subsystem_mutex.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

23 Aug 2024, 01:54

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/3aadfd46858b1f64d4d6a0654b863e21aabff975 - () https://git.kernel.org/stable/c/3aadfd46858b1f64d4d6a0654b863e21aabff975 - Patch
References () https://git.kernel.org/stable/c/40805099af11f68c5ca7dbcfacf455da8f99f622 - () https://git.kernel.org/stable/c/40805099af11f68c5ca7dbcfacf455da8f99f622 - Patch
References () https://git.kernel.org/stable/c/84ec758fb2daa236026506868c8796b0500c047d - () https://git.kernel.org/stable/c/84ec758fb2daa236026506868c8796b0500c047d - Patch
References () https://git.kernel.org/stable/c/a37024f7757c25550accdebf49e497ad6ae239fe - () https://git.kernel.org/stable/c/a37024f7757c25550accdebf49e497ad6ae239fe - Patch
References () https://git.kernel.org/stable/c/a7ab53d3c27dfe83bb594456b9f38a37796ec39b - () https://git.kernel.org/stable/c/a7ab53d3c27dfe83bb594456b9f38a37796ec39b - Patch
References () https://git.kernel.org/stable/c/b7e2b91fcb5c78c414e33dc8d50642e307ca0c5a - () https://git.kernel.org/stable/c/b7e2b91fcb5c78c414e33dc8d50642e307ca0c5a - Patch
References () https://git.kernel.org/stable/c/d1654de19d42f513b6cfe955cc77e7f427e05a77 - () https://git.kernel.org/stable/c/d1654de19d42f513b6cfe955cc77e7f427e05a77 - Patch
References () https://git.kernel.org/stable/c/e7a66dd2687758718eddd79b542a95cf3aa488cc - () https://git.kernel.org/stable/c/e7a66dd2687758718eddd79b542a95cf3aa488cc - Patch
First Time Linux linux Kernel
Linux
CWE CWE-362
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.7
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

22 Aug 2024, 12:48

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: configfs: arregla una ejecución en configfs_{,un}register_subsystem() Cuando configfs_register_subsystem() o configfs_unregister_subsystem() está ejecutando link_group() o unlink_group(), es posible que dos procesos agregar o eliminar la lista al mismo tiempo. Algunas intercalaciones desafortunadas de ellos pueden causar pánico en el kernel. Uno de los casos es: A --&gt; B --&gt; C --&gt; DA &lt;-- B &lt;-- C &lt;-- D eliminar list_head *B | eliminar list_head *C --------------------------------|------------- ---------------------- configfs_unregister_subsystem | configfs_unregister_subsystem unlink_group | desvincular_grupo desvincular_obj | unlink_obj list_del_init | list_del_init __list_del_entry | __list_del_entry __list_del | __list_del // siguiente == C | siguiente-&gt;anterior = anterior | | siguiente-&gt;anterior = anterior anterior-&gt;siguiente = siguiente | | // anterior == B | prev-&gt;next = next Solucione esto agregando mutex al llamar a link_group() o unlink_group(), pero el configfs_subsystem principal es NULL cuando config_item es root. Entonces creo un mutex configfs_subsystem_mutex.

22 Aug 2024, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-22 04:15

Updated : 2024-08-23 01:54


NVD link : CVE-2022-48931

Mitre link : CVE-2022-48931

CVE.ORG link : CVE-2022-48931


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')