Bug 1197246 – VUL-0: CVE-2022-0995: kernel: kernel bug in the watch_queue subsystem

Bug 1197246 - (CVE-2022-0995) VUL-0: CVE-2022-0995: kernel: kernel bug in the watch_queue subsystem

(CVE-2022-0995)
Summary:	VUL-0: CVE-2022-0995: kernel: kernel bug in the watch_queue subsystem

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/326386/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-0995:7.8:(AV:L...
Keywords:

Depends on:
Blocks:	1197337
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-03-17 15:58 UTC by Alexander Bergmann
Modified:	2022-06-08 14:00 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2022-03-17 15:58:58 UTC

rh#2063786

The watch_queue event notification subsystem in the kernel has a couple of out of bounds writes that can be triggered by any user.  These can be used to overwrite parts of the kernel state, potentially allowing the user to gain privileged access to or panic the system.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2063786
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0995

Comment 1 Takashi Iwai 2022-03-17 16:17:21 UTC

Something interesting for filesystem team?

Comment 2 David Disseldorp 2022-03-17 20:00:16 UTC

Thanks for the report. From an initial skim it looks as though this is relevant to SLE15-SP4 / Tumbleweed which carry CONFIG_WATCH_QUEUE=y with c73be61cede5 ("pipe: Add general notification queue support").

Comment 3 David Disseldorp 2022-03-21 09:40:19 UTC

I've prepared the 15-SP4 backports for this and will submit when finished with testing.

Comment 4 David Disseldorp 2022-03-23 09:25:08 UTC

The changes are queued for SLE15-SP4-GA . I had to make one minor change to avoid kABI breakage from the sizeof(type_filter) reduction:

--- a/include/linux/watch_queue.h
+++ b/include/linux/watch_queue.h
@@ -28,7 +28,12 @@ struct watch_type_filter {
 struct watch_filter {
        union { 
                struct rcu_head rcu;
-               unsigned long   type_filter[2]; /* Bitmask of accepted types */
+               /* Bitmask of accepted types */
+#ifdef __GENKSYMS__
+               unsigned long type_filter[2];
+#else
+               DECLARE_BITMAP(type_filter, WATCH_TYPE__NR);
+#endif 
        };
        u32                     nr_filters;     /* Number of filters */
        struct watch_type_filter filters[];

Comment 7 David Disseldorp 2022-03-28 09:41:26 UTC

Two more watch_queue fixes hit mainline just last week, which I'll also track via this ticket as a follow-up to the previous merge:

     "Here are fixes for a couple more watch_queue bugs, both found by syzbot:
    
       - Fix error cleanup in watch_queue_set_size() where it tries to clean
         up all the pointers in the page list, even if they've not been
         allocated yet[1]. Unfortunately, __free_page() doesn't treat a NULL
         pointer as being "do nothing".
    
         A second report[2] looks like it's probably the same bug, but on
         arm64 rather than x86_64, but there's no reproducer.
    
       - Fix a missing kfree in free_watch() to actually free the watch[3]"
    
    Link: https://lore.kernel.org/r/000000000000b1807c05daad8f98@google.com/ [1]
    Link: https://lore.kernel.org/r/000000000000035b9c05daae8a5e@google.com/ [2]
    Link: https://lore.kernel.org/r/000000000000bc8eaf05dab91c63@google.com/ [3]
    
    * 'keys-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
      watch_queue: Actually free the watch
      watch_queue: Fix NULL dereference in error cleanup

Comment 11 Petr Mladek 2022-05-03 12:54:16 UTC

This bug seems to approach a good date for CVE SLA fulfillment [1].
What is its status, please?
 
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel

Comment 12 David Disseldorp 2022-05-03 13:19:19 UTC

(In reply to Petr Mladek from comment #11)
> This bug seems to approach a good date for CVE SLA fulfillment [1].
> What is its status, please?

Fixes are all merged. I think this ticket can be closed - setting needinfo for security team.

Comment 13 David Disseldorp 2022-05-05 08:12:28 UTC

(In reply to David Disseldorp from comment #12)
...
> Fixes are all merged. I think this ticket can be closed - setting needinfo
> for security team.

Transferring...

Comment 14 Carlos López 2022-06-08 14:00:23 UTC

Done, closing.