Opened 8 months ago
Closed 7 months ago
#5097 closed enhancement (fixed)
|Reported by:||Bruce Dubbs||Owned by:||lfs-book|
New point version.
Change History (3)
comment:1 by , 7 months ago
|Priority:||normal → high|
comment:2 by , 7 months ago
A fourth vulnerability CVE-2022-2585, which is actually more dangerous (can be exploited by a completely unpriviledged user):
posix-cpu-timers: Cleanup CPU timers before freeing them during exec Commit 55e8c8eb2c7b ("posix-cpu-timers: Store a reference to a pid not a task") started looking up tasks by PID when deleting a CPU timer. When a non-leader thread calls execve, it will switch PIDs with the leader process. Then, as it calls exit_itimers, posix_cpu_timer_del cannot find the task because the timer still points out to the old PID. That means that armed timers won't be disarmed, that is, they won't be removed from the timerqueue_list. exit_itimers will still release their memory, and when that list is later processed, it leads to a use-after-free. Clean up the timers from the de-threaded task before freeing them. This prevents a reported use-after-free.
comment:3 by , 7 months ago
|Status:||new → closed|
Fixed at r11.1-169-gf2af13d7a.
SA 11.1-099 is published.
Note: See TracTickets for help on using tickets.
See https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.19.2 for release notes
Unfortunately, this does contain some security fixes.
CVE-2022-1184 (ext4 filesystem)