CVE-2022-48921
sched/fair: Fix fault in reweight_entity
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
sched/fair: Fix fault in reweight_entity
Syzbot found a GPF in reweight_entity. This has been bisected to
commit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an invalid
sched_task_group")
There is a race between sched_post_fork() and setpriority(PRIO_PGRP)
within a thread group that causes a null-ptr-deref in
reweight_entity() in CFS. The scenario is that the main process spawns
number of new threads, which then call setpriority(PRIO_PGRP, 0, -20),
wait, and exit. For each of the new threads the copy_process() gets
invoked, which adds the new task_struct and calls sched_post_fork()
for it.
In the above scenario there is a possibility that
setpriority(PRIO_PGRP) and set_one_prio() will be called for a thread
in the group that is just being created by copy_process(), and for
which the sched_post_fork() has not been executed yet. This will
trigger a null pointer dereference in reweight_entity(), as it will
try to access the run queue pointer, which hasn't been set.
Before the mentioned change the cfs_rq pointer for the task has been
set in sched_fork(), which is called much earlier in copy_process(),
before the new task is added to the thread_group. Now it is done in
the sched_post_fork(), which is called after that. To fix the issue
the remove the update_load param from the update_load param() function
and call reweight_task() only if the task flag doesn't have the
TASK_NEW flag set.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-08-21 CVE Reserved
- 2024-08-22 CVE Published
- 2024-09-13 EPSS Updated
- 2024-11-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/c85c6fadbef0a3eab41540ea628fa8fe8928c820 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/3869eecf050416a1d19bac60926f6b5d64b0aa58 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/4ef0c5c6b5ba1f38f0ea1cedad0cad722f00c14a | Vuln. Introduced | |
| https://git.kernel.org/stable/c/25d40b828fb855ee62e1039c65a666c9afd60786 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10.80 < 5.10.137 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.80 < 5.10.137" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15.3 < 5.15.27 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.3 < 5.15.27" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.16 < 5.16.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 5.16.13" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.16 < 5.17 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.16 < 5.17" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.14.19 Search vendor "Linux" for product "Linux Kernel" and version "5.14.19" | en |
Affected
| ||||||