5.5 CVE-2022-49080

Enriched by CISA Patch
 

In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix mpol_new leak in shared_policy_replace If mpol_new is allocated but not used in restart loop, mpol_new will be freed via mpol_put before returning to the caller. But refcnt is not initialized yet, so mpol_put could not do the right things and might leak the unused mpol_new. This would happen if mempolicy was updated on the shared shmem file while the sp->lock has been dropped during the memory allocation. This issue could be triggered easily with the below code snippet if there are many processes doing the below work at the same time: shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT); shm = shmat(shmid, 0, 0); loop many times { mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0); mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask, maxnode, 0); }
https://nvd.nist.gov/vuln/detail/CVE-2022-49080

Categories

CWE-401 : Missing Release of Memory after Effective Lifetime
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Use an abstraction library to abstract away risky APIs. Not a complete solution. The Boehm-Demers-Weiser Garbage Collector or valgrind can be used to detect leaks in code. Memory leak because function does not free() an element of a data structure. Memory leak when counter variable is not decremented. chain: reference count is not decremented, leading to memory leak in OS by sending ICMP packets. Kernel uses wrong function to release a data structure, preventing data from being properly tracked by other code. Memory leak via unknown manipulations as part of protocol test suite. Memory leak via a series of the same command.

References


 

AFFECTED (from MITRE)

Vendor Product Versions
Linux Linux
  • 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 < 8510c2346d9e47a72b7f018a36ef0c39483e53d6 [affected]
  • 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 < 5e16dc5378abd749a836daa9ee4ab2c8d2668999 [affected]
  • 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 < 39a32f3c06f6d68a530bf9612afa19f50f12e93d [affected]
  • 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 < 25f506273b6ae806fd46bfcb6fdaa5b9ec81a05b [affected]
  • 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 < f7e183b0a7136b6dc9c7b9b2a85a608a8feba894 [affected]
  • 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 < 198932a14aeb19a15cf19e51e151d023bc4cd648 [affected]
  • 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 < 6e00309ac716fa8225f0cbde2cd9c24f0e74ee21 [affected]
  • 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 < fe39ac59dbbf893b73b24e3184161d0bd06d6651 [affected]
  • 42288fe366c4f1ce7522bc9f27d0bc2a81c55264 < 4ad099559b00ac01c3726e5c95dc3108ef47d03e [affected]
Linux Linux
  • 3.8 [affected]
  • < 3.8 [unaffected]
  • 4.9.311 ≤ 4.9.* [unaffected]
  • 4.14.276 ≤ 4.14.* [unaffected]
  • 4.19.238 ≤ 4.19.* [unaffected]
  • 5.4.189 ≤ 5.4.* [unaffected]
  • 5.10.111 ≤ 5.10.* [unaffected]
  • 5.15.34 ≤ 5.15.* [unaffected]
  • 5.16.20 ≤ 5.16.* [unaffected]
  • 5.17.3 ≤ 5.17.* [unaffected]
  • 5.18 ≤ * [unaffected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end
Configuration 1
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 3.8.1 < 4.9.311
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 4.10 < 4.14.276
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 4.15 < 4.19.238
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 4.20 < 5.4.189
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 5.5 < 5.10.111
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 5.11 < 5.15.34
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 5.16 < 5.16.20
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* >= 5.17 < 5.17.3
cpe:2.3:o:linux:linux_kernel:3.8:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.8:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.8:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.8:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.8:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.8:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:3.8:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:*

REMEDIATION

Patch

Url
https://git.kernel.org/stable/c/198932a14aeb19a15cf19e51e151d023bc4cd648
https://git.kernel.org/stable/c/25f506273b6ae806fd46bfcb6fdaa5b9ec81a05b
https://git.kernel.org/stable/c/39a32f3c06f6d68a530bf9612afa19f50f12e93d
https://git.kernel.org/stable/c/4ad099559b00ac01c3726e5c95dc3108ef47d03e
https://git.kernel.org/stable/c/5e16dc5378abd749a836daa9ee4ab2c8d2668999
https://git.kernel.org/stable/c/6e00309ac716fa8225f0cbde2cd9c24f0e74ee21
https://git.kernel.org/stable/c/8510c2346d9e47a72b7f018a36ef0c39483e53d6
https://git.kernel.org/stable/c/f7e183b0a7136b6dc9c7b9b2a85a608a8feba894
https://git.kernel.org/stable/c/fe39ac59dbbf893b73b24e3184161d0bd06d6651

EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry