Bug 1197246 (CVE-2022-0995)

Summary: VUL-0: CVE-2022-0995: kernel: kernel bug in the watch_queue subsystem
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: abergmann, carlos.lopez, pmladek, rgoldwyn, security-team, smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/326386/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-0995:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1197337    

Description Alexander Bergmann 2022-03-17 15:58:58 UTC
rh#2063786

The watch_queue event notification subsystem in the kernel has a couple of out of bounds writes that can be triggered by any user.  These can be used to overwrite parts of the kernel state, potentially allowing the user to gain privileged access to or panic the system.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2063786
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0995
Comment 1 Takashi Iwai 2022-03-17 16:17:21 UTC
Something interesting for filesystem team?
Comment 2 David Disseldorp 2022-03-17 20:00:16 UTC
Thanks for the report. From an initial skim it looks as though this is relevant to SLE15-SP4 / Tumbleweed which carry CONFIG_WATCH_QUEUE=y with c73be61cede5 ("pipe: Add general notification queue support").
Comment 3 David Disseldorp 2022-03-21 09:40:19 UTC
I've prepared the 15-SP4 backports for this and will submit when finished with testing.
Comment 4 David Disseldorp 2022-03-23 09:25:08 UTC
The changes are queued for SLE15-SP4-GA . I had to make one minor change to avoid kABI breakage from the sizeof(type_filter) reduction:

--- a/include/linux/watch_queue.h
+++ b/include/linux/watch_queue.h
@@ -28,7 +28,12 @@ struct watch_type_filter {
 struct watch_filter {
        union { 
                struct rcu_head rcu;
-               unsigned long   type_filter[2]; /* Bitmask of accepted types */
+               /* Bitmask of accepted types */
+#ifdef __GENKSYMS__
+               unsigned long type_filter[2];
+#else
+               DECLARE_BITMAP(type_filter, WATCH_TYPE__NR);
+#endif 
        };
        u32                     nr_filters;     /* Number of filters */
        struct watch_type_filter filters[];
Comment 7 David Disseldorp 2022-03-28 09:41:26 UTC
Two more watch_queue fixes hit mainline just last week, which I'll also track via this ticket as a follow-up to the previous merge:

     "Here are fixes for a couple more watch_queue bugs, both found by syzbot:
    
       - Fix error cleanup in watch_queue_set_size() where it tries to clean
         up all the pointers in the page list, even if they've not been
         allocated yet[1]. Unfortunately, __free_page() doesn't treat a NULL
         pointer as being "do nothing".
    
         A second report[2] looks like it's probably the same bug, but on
         arm64 rather than x86_64, but there's no reproducer.
    
       - Fix a missing kfree in free_watch() to actually free the watch[3]"
    
    Link: https://lore.kernel.org/r/000000000000b1807c05daad8f98@google.com/ [1]
    Link: https://lore.kernel.org/r/000000000000035b9c05daae8a5e@google.com/ [2]
    Link: https://lore.kernel.org/r/000000000000bc8eaf05dab91c63@google.com/ [3]
    
    * 'keys-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
      watch_queue: Actually free the watch
      watch_queue: Fix NULL dereference in error cleanup
Comment 11 Petr Mladek 2022-05-03 12:54:16 UTC
This bug seems to approach a good date for CVE SLA fulfillment [1].
What is its status, please?
 
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
Comment 12 David Disseldorp 2022-05-03 13:19:19 UTC
(In reply to Petr Mladek from comment #11)
> This bug seems to approach a good date for CVE SLA fulfillment [1].
> What is its status, please?

Fixes are all merged. I think this ticket can be closed - setting needinfo for security team.
Comment 13 David Disseldorp 2022-05-05 08:12:28 UTC
(In reply to David Disseldorp from comment #12)
...
> Fixes are all merged. I think this ticket can be closed - setting needinfo
> for security team.

Transferring...
Comment 14 Carlos López 2022-06-08 14:00:23 UTC
Done, closing.