CVE-2022-48988

memcg: fix possible use-after-free in memcg_write_event_control()

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

MITRE
TN

In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified
control fd to route the write call. As a cgroup interface file can't be
renamed, it's safe to access d_name as long as the specified file is a
regular cgroup file. Also, as these cgroup interface files can't be
removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a
call to __file_cft() which verified that the specified file is a regular
cgroupfs file before further accesses. The cftype pointer returned from
__file_cft() was no longer necessary and the commit inadvertently dropped
the file type check with it allowing any file to slip through. With the
invarients broken, the d_name and parent accesses can now race against
renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). Now that
cgroupfs is implemented through kernfs, checking the file operations needs
to go through a layer of indirection. Instead, let's check the superblock
and dentry type.

In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). Now that cgroupfs is implemented through kernfs, checking the file operations needs to go through a layer of indirection. Instead, let's check the superblock and dentry type.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-08-22 CVE Reserved
2024-10-21 CVE Published
2024-12-19 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (10)

URL	Tag	Source
https://git.kernel.org/stable/c/347c4a8747104a945ecced358944e42879176ca5	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/b77600e26fd48727a95ffd50ba1e937efb548125	2022-12-14
https://git.kernel.org/stable/c/e1ae97624ecf400ea56c238bff23e5cd139df0b8	2022-12-14
https://git.kernel.org/stable/c/35963b31821920908e397146502066f6b032c917	2022-12-14
https://git.kernel.org/stable/c/f1f7f36cf682fa59db15e2089039a2eeb58ff2ad	2022-12-14
https://git.kernel.org/stable/c/aad8bbd17a1d586005feb9226c2e9cfce1432e13	2022-12-14
https://git.kernel.org/stable/c/0ed074317b835caa6c03bcfa8f133365324673dc	2022-12-14
https://git.kernel.org/stable/c/4a7ba45b1a435e7097ca0f79a847d0949d0eb088	2022-12-10

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-48988	2023-11-14
https://bugzilla.redhat.com/show_bug.cgi?id=2320681	2023-11-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 4.14.302 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 4.14.302"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 4.19.269 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 4.19.269"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 5.4.227 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 5.4.227"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 5.10.159 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 5.10.159"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 5.15.83 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 5.15.83"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 6.0.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 6.0.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 3.14 < 6.1 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.14 < 6.1"		en		Affected