{"release":{"tag":{"name":"4.19.90-2210.3.0","path":"/openeuler/kernel/tags/4.19.90-2210.3.0","tree_path":"/openeuler/kernel/tree/4.19.90-2210.3.0","message":"4.19.90-2210.3.0","commit":{"id":"edb25e44f5d5e5aedf424c02315a8e682481010a","short_id":"edb25e4","title":"binder: fix UAF of ref-\u003Eproc caused by race condition","title_markdown":"binder: fix UAF of ref-\u0026gt;proc caused by race condition","description":"\nmainline inclusion\nfrom mainline-v6.0-rc4\ncommit a0e44c64b6061dda7e00b7c458e4523e2331b739\ncategory: bugfix\nbugzilla: 187805, https://gitee.com/src-openeuler/kernel/issues/I5U713\nCVE: CVE-2022-20421\n\n--------------------------------\n\nA transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the\nreference for a node. In this case, the target proc normally releases\nthe failed reference upon close as expected. However, if the target is\ndying in parallel the call will race with binder_deferred_release(), so\nthe target could have released all of its references by now leaving the\ncleanup of the new failed reference unhandled.\n\nThe transaction then ends and the target proc gets released making the\nref-\u003Eproc now a dangling pointer. Later on, ref-\u003Enode is closed and we\nattempt to take spin_lock(\u0026ref-\u003Eproc-\u003Einner_lock), which leads to the\nuse-after-free bug reported below. Let's fix this by cleaning up the\nfailed reference on the spot instead of relying on the target to do so.\n\n  ==================================================================\n  BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150\n  Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590\n\n  CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10\n  Hardware name: linux,dummy-virt (DT)\n  Workqueue: events binder_deferred_func\n  Call trace:\n   dump_backtrace.part.0+0x1d0/0x1e0\n   show_stack+0x18/0x70\n   dump_stack_lvl+0x68/0x84\n   print_report+0x2e4/0x61c\n   kasan_report+0xa4/0x110\n   kasan_check_range+0xfc/0x1a4\n   __kasan_check_write+0x3c/0x50\n   _raw_spin_lock+0xa8/0x150\n   binder_deferred_func+0x5e0/0x9b0\n   process_one_work+0x38c/0x5f0\n   worker_thread+0x9c/0x694\n   kthread+0x188/0x190\n   ret_from_fork+0x10/0x20\n\nAcked-by: Christian Brauner (Microsoft) \u003Cbrauner@kernel.org\u003E\nSigned-off-by: Carlos Llamas \u003Ccmllamas@google.com\u003E\nCc: stable \u003Cstable@kernel.org\u003E # 4.14+\nLink: https://lore.kernel.org/r/20220801182511.3371447-1-cmllamas@google.com\nSigned-off-by: Greg Kroah-Hartman \u003Cgregkh@linuxfoundation.org\u003E\nSigned-off-by: Ren Zhijie \u003Crenzhijie2@huawei.com\u003E\nReviewed-by: Zhang Qiao \u003Czhangqiao22@huawei.com\u003E\nReviewed-by: Xiu Jianfeng \u003Cxiujianfeng@huawei.com\u003E\nReviewed-by: Chen Hui \u003Cjudy.chenhui@huawei.com\u003E\nSigned-off-by: Yongqiang Liu \u003Cliuyongqiang13@huawei.com\u003E","description_markdown":"mainline inclusion\nfrom mainline-v6.0-rc4\ncommit a0e44c64b6061dda7e00b7c458e4523e2331b739\ncategory: bugfix\nbugzilla: 187805, \u003Ca title=\"Issue: CVE-2022-20421\" class=\"gfm gfm-issue\" href=\"/open_euler/dashboard?issue_id=I5U713\"\u003E#I5U713\u003C/a\u003ECVE: CVE-2022-20421\n--------------------------------\nA transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the\nreference for a node. In this case, the target proc normally releases\nthe failed reference upon close as expected. However, if the target is\ndying in parallel the call will race with binder_deferred_release(), so\nthe target could have released all of its references by now leaving the\ncleanup of the new failed reference unhandled.\nThe transaction then ends and the target proc gets released making the\nref-\u0026gt;proc now a dangling pointer. Later on, ref-\u0026gt;node is closed and we\nattempt to take spin_lock(\u0026amp;ref-\u0026gt;proc-\u0026gt;inner_lock), which leads to the\nuse-after-free bug reported below. Let's fix this by cleaning up the\n\n\u003Ch1\u003Efailed reference on the spot instead of relying on the target to do so.\u003C/h1\u003E\n\nBUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150\nWrite of size 4 at addr ffff5ca207094238 by task kworker/1:0/590\nCPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10\nHardware name: linux,dummy-virt (DT)\nWorkqueue: events binder_deferred_func\nCall trace:\ndump_backtrace.part.0+0x1d0/0x1e0\nshow_stack+0x18/0x70\ndump_stack_lvl+0x68/0x84\nprint_report+0x2e4/0x61c\nkasan_report+0xa4/0x110\nkasan_check_range+0xfc/0x1a4\n__kasan_check_write+0x3c/0x50\n_raw_spin_lock+0xa8/0x150\nbinder_deferred_func+0x5e0/0x9b0\nprocess_one_work+0x38c/0x5f0\nworker_thread+0x9c/0x694\nkthread+0x188/0x190\nret_from_fork+0x10/0x20\nAcked-by: Christian Brauner (Microsoft) \u003Ca href=\"mailto:brauner@kernel.org\"\u003Ebrauner@kernel.org\u003C/a\u003E\nSigned-off-by: Carlos Llamas \u003Ca href=\"mailto:cmllamas@google.com\"\u003Ecmllamas@google.com\u003C/a\u003E\nCc: stable \u003Ca href=\"mailto:stable@kernel.org\"\u003Estable@kernel.org\u003C/a\u003E # 4.14+\nLink: \u003Ca href=\"https://gitee.com/link?target=https%3A%2F%2Flore.kernel.org%2Fr%2F20220801182511.3371447-1-cmllamas%40google.com\"\u003Ehttps://lore.kernel.org/r/20220801182511.3371447-1-cmllamas@google.com\u003C/a\u003E\nSigned-off-by: Greg Kroah-Hartman \u003Ca href=\"mailto:gregkh@linuxfoundation.org\"\u003Egregkh@linuxfoundation.org\u003C/a\u003E\nSigned-off-by: Ren Zhijie \u003Ca href=\"mailto:renzhijie2@huawei.com\"\u003Erenzhijie2@huawei.com\u003C/a\u003E\nReviewed-by: Zhang Qiao \u003Ca href=\"mailto:zhangqiao22@huawei.com\"\u003Ezhangqiao22@huawei.com\u003C/a\u003E\nReviewed-by: Xiu Jianfeng \u003Ca href=\"mailto:xiujianfeng@huawei.com\"\u003Exiujianfeng@huawei.com\u003C/a\u003E\nReviewed-by: Chen Hui \u003Ca href=\"mailto:judy.chenhui@huawei.com\"\u003Ejudy.chenhui@huawei.com\u003C/a\u003E\nSigned-off-by: Yongqiang Liu \u003Ca href=\"mailto:liuyongqiang13@huawei.com\"\u003Eliuyongqiang13@huawei.com\u003C/a\u003E","message":"binder: fix UAF of ref-\u003Eproc caused by race condition\n\nmainline inclusion\nfrom mainline-v6.0-rc4\ncommit a0e44c64b6061dda7e00b7c458e4523e2331b739\ncategory: bugfix\nbugzilla: 187805, https://gitee.com/src-openeuler/kernel/issues/I5U713\nCVE: CVE-2022-20421\n\n--------------------------------\n\nA transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the\nreference for a node. In this case, the target proc normally releases\nthe failed reference upon close as expected. However, if the target is\ndying in parallel the call will race with binder_deferred_release(), so\nthe target could have released all of its references by now leaving the\ncleanup of the new failed reference unhandled.\n\nThe transaction then ends and the target proc gets released making the\nref-\u003Eproc now a dangling pointer. Later on, ref-\u003Enode is closed and we\nattempt to take spin_lock(\u0026ref-\u003Eproc-\u003Einner_lock), which leads to the\nuse-after-free bug reported below. Let's fix this by cleaning up the\nfailed reference on the spot instead of relying on the target to do so.\n\n  ==================================================================\n  BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150\n  Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590\n\n  CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10\n  Hardware name: linux,dummy-virt (DT)\n  Workqueue: events binder_deferred_func\n  Call trace:\n   dump_backtrace.part.0+0x1d0/0x1e0\n   show_stack+0x18/0x70\n   dump_stack_lvl+0x68/0x84\n   print_report+0x2e4/0x61c\n   kasan_report+0xa4/0x110\n   kasan_check_range+0xfc/0x1a4\n   __kasan_check_write+0x3c/0x50\n   _raw_spin_lock+0xa8/0x150\n   binder_deferred_func+0x5e0/0x9b0\n   process_one_work+0x38c/0x5f0\n   worker_thread+0x9c/0x694\n   kthread+0x188/0x190\n   ret_from_fork+0x10/0x20\n\nAcked-by: Christian Brauner (Microsoft) \u003Cbrauner@kernel.org\u003E\nSigned-off-by: Carlos Llamas \u003Ccmllamas@google.com\u003E\nCc: stable \u003Cstable@kernel.org\u003E # 4.14+\nLink: https://lore.kernel.org/r/20220801182511.3371447-1-cmllamas@google.com\nSigned-off-by: Greg Kroah-Hartman \u003Cgregkh@linuxfoundation.org\u003E\nSigned-off-by: Ren Zhijie \u003Crenzhijie2@huawei.com\u003E\nReviewed-by: Zhang Qiao \u003Czhangqiao22@huawei.com\u003E\nReviewed-by: Xiu Jianfeng \u003Cxiujianfeng@huawei.com\u003E\nReviewed-by: Chen Hui \u003Cjudy.chenhui@huawei.com\u003E\nSigned-off-by: Yongqiang Liu \u003Cliuyongqiang13@huawei.com\u003E\n","message_markdown":"binder: fix UAF of ref-\u0026gt;proc caused by race condition\nmainline inclusion\nfrom mainline-v6.0-rc4\ncommit a0e44c64b6061dda7e00b7c458e4523e2331b739\ncategory: bugfix\nbugzilla: 187805, \u003Ca title=\"Issue: CVE-2022-20421\" class=\"gfm gfm-issue\" href=\"/open_euler/dashboard?issue_id=I5U713\"\u003E#I5U713\u003C/a\u003ECVE: CVE-2022-20421\n--------------------------------\nA transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the\nreference for a node. In this case, the target proc normally releases\nthe failed reference upon close as expected. However, if the target is\ndying in parallel the call will race with binder_deferred_release(), so\nthe target could have released all of its references by now leaving the\ncleanup of the new failed reference unhandled.\nThe transaction then ends and the target proc gets released making the\nref-\u0026gt;proc now a dangling pointer. Later on, ref-\u0026gt;node is closed and we\nattempt to take spin_lock(\u0026amp;ref-\u0026gt;proc-\u0026gt;inner_lock), which leads to the\nuse-after-free bug reported below. Let's fix this by cleaning up the\n\n\u003Ch1\u003Efailed reference on the spot instead of relying on the target to do so.\u003C/h1\u003E\n\nBUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150\nWrite of size 4 at addr ffff5ca207094238 by task kworker/1:0/590\nCPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10\nHardware name: linux,dummy-virt (DT)\nWorkqueue: events binder_deferred_func\nCall trace:\ndump_backtrace.part.0+0x1d0/0x1e0\nshow_stack+0x18/0x70\ndump_stack_lvl+0x68/0x84\nprint_report+0x2e4/0x61c\nkasan_report+0xa4/0x110\nkasan_check_range+0xfc/0x1a4\n__kasan_check_write+0x3c/0x50\n_raw_spin_lock+0xa8/0x150\nbinder_deferred_func+0x5e0/0x9b0\nprocess_one_work+0x38c/0x5f0\nworker_thread+0x9c/0x694\nkthread+0x188/0x190\nret_from_fork+0x10/0x20\nAcked-by: Christian Brauner (Microsoft) \u003Ca href=\"mailto:brauner@kernel.org\"\u003Ebrauner@kernel.org\u003C/a\u003E\nSigned-off-by: Carlos Llamas \u003Ca href=\"mailto:cmllamas@google.com\"\u003Ecmllamas@google.com\u003C/a\u003E\nCc: stable \u003Ca href=\"mailto:stable@kernel.org\"\u003Estable@kernel.org\u003C/a\u003E # 4.14+\nLink: \u003Ca href=\"https://gitee.com/link?target=https%3A%2F%2Flore.kernel.org%2Fr%2F20220801182511.3371447-1-cmllamas%40google.com\"\u003Ehttps://lore.kernel.org/r/20220801182511.3371447-1-cmllamas@google.com\u003C/a\u003E\nSigned-off-by: Greg Kroah-Hartman \u003Ca href=\"mailto:gregkh@linuxfoundation.org\"\u003Egregkh@linuxfoundation.org\u003C/a\u003E\nSigned-off-by: Ren Zhijie \u003Ca href=\"mailto:renzhijie2@huawei.com\"\u003Erenzhijie2@huawei.com\u003C/a\u003E\nReviewed-by: Zhang Qiao \u003Ca href=\"mailto:zhangqiao22@huawei.com\"\u003Ezhangqiao22@huawei.com\u003C/a\u003E\nReviewed-by: Xiu Jianfeng \u003Ca href=\"mailto:xiujianfeng@huawei.com\"\u003Exiujianfeng@huawei.com\u003C/a\u003E\nReviewed-by: Chen Hui \u003Ca href=\"mailto:judy.chenhui@huawei.com\"\u003Ejudy.chenhui@huawei.com\u003C/a\u003E\nSigned-off-by: Yongqiang Liu \u003Ca href=\"mailto:liuyongqiang13@huawei.com\"\u003Eliuyongqiang13@huawei.com\u003C/a\u003E","detail_path":"/openeuler/kernel/commit/edb25e44f5d5e5aedf424c02315a8e682481010a","commits_path":"/openeuler/kernel/commits/edb25e44f5d5e5aedf424c02315a8e682481010a","tree_path":"/openeuler/kernel/tree/edb25e44f5d5e5aedf424c02315a8e682481010a","author":{"name":"Carlos Llamas","email":"cmllamas@google.com","username":null,"user_path":null,"enterprise_user_path":null,"image_path":"no_portrait.png#Carlos Llamas-","is_gitee_user":false,"is_enterprise_user":null,"widget_url":null},"committer":{"name":"Yongqiang Liu","email":"duanzi@zju.edu.cn","username":null,"user_path":null,"enterprise_user_path":null,"image_path":"no_portrait.png#Yongqiang Liu-","is_gitee_user":false,"is_enterprise_user":null,"widget_url":null},"authored_date":"2022-10-18T06:53:31+00:00","committed_date":"2022-10-18T14:30:30+08:00","signature":null,"build_state":null},"archive_path":"/openeuler/kernel/repository/archive/4.19.90-2210.3.0","signature":null},"operating":{"edit":false,"download":true,"destroy":false,"enterprise_forbid_zip":false},"release":{"title":"openEuler 20.03 update 4.19.90-2210.3.0","path":"/openeuler/kernel/releases/tag/4.19.90-2210.3.0","tag_path":"/openeuler/kernel/tree/4.19.90-2210.3.0","project_id":7696525,"created_at":"2022-10-18T15:04:41+08:00","is_prerelease":false,"description":"# 1TASK\r\n-------\r\n\r\n# 4.19.90-2210.1.0~1...4.19.90-2210.3.0\r\n-------\r\n| TASK | COMMIT |\r\n|:----:|:------:|\r\n|     bugzilla: 187805, https://gitee.com/src-openeuler/kernel/issues/I5U713 | edb25e44f5d5 binder: fix UAF of ref-\u003Eproc caused by race condition\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5U71M | 08f3f0b2fe7e arm64: fix oops in concurrently setting insn_emulation sysctls\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/openeuler/kernel/issues/I5T5DD | 988dd3e9e103 mm/hotplug: silence a lockdep splat with printk()\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/openeuler/kernel/issues/I5UPB0 | 72b3422d660f init/Kconfig: Add SMP to the dependencies of QOS_SCHED\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5USOP | 6d5d324d4ccb mm/rmap: Fix kabi broken in anon_vma\u003Cbr\u003Ea3544c89435b mm/rmap: Fix anon_vma-\u003Edegree ambiguity leading to double-reuse\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5U1PE | 4d870684a19f HID: roccat: Fix use-after-free in roccat_read()\u003Cbr\u003E |\r\n|     bugzilla: 187586, https://gitee.com/openeuler/kernel/issues/I5V3VI | e921a80d83f3 ext4: fix dir corruption when ext4_dx_add_entry() fails\u003Cbr\u003E |\r\n|     bugzilla: 187046, https://gitee.com/openeuler/kernel/issues/I5QH0X | 5de13cee5541 quota: Add more checking after reading from quota file\u003Cbr\u003E5606887f440a quota: Replace all block number checking with helper function\u003Cbr\u003E8b165737d7cf quota: Check next/prev free block number after reading from quota file\u003Cbr\u003Ebe12b77e8f48 Revert \"quota: Check next/prev free block number after reading from quota file\"\u003Cbr\u003E592e66e1803a Revert \"quota: Replace all block number checking with helper function\"\u003Cbr\u003E8cad765b10cc Revert \"quota: Add more checking after reading from quota file\"\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/openeuler/kernel/issues/I5V45M | b15e501f036c tracefs: Only clobber mode/uid/gid on remount if asked\u003Cbr\u003E |\r\n|     bugzilla: https://gitee.com/openeuler/kernel/issues/I5UQH4 | 2265bd1b1924 netfilter: ebtables: fix memory leak when blob is malformed\u003Cbr\u003E6c76c5928c44 netfilter: ebtables: reject blobs that don't provide all entry points\u003Cbr\u003Ee7a18d60c92f mm: Fix TLB flush for not-first PFNMAP mappings in unmap_region()\u003Cbr\u003E7cbdfd4ce955 SUNRPC: use _bh spinlocking on -\u003Etransport_lock\u003Cbr\u003Ed2189b9e20b9 tcp: fix early ETIMEDOUT after spurious non-SACK RTO\u003Cbr\u003E858c6aad1c4b netfilter: br_netfilter: Drop dst references before setting.\u003Cbr\u003Ea1c25212fd7b debugfs: add debugfs_lookup_and_remove()\u003Cbr\u003Efbf064ebb7ed tcp: annotate data-race around challenge_timestamp\u003Cbr\u003E6afb63d8c5d9 Revert \"mm: kmemleak: take a full lowmem check in kmemleak_*_phys()\"\u003Cbr\u003Eafb3765b0890 net: neigh: don't call kfree_skb() under spin_lock_irqsave()\u003Cbr\u003E68d9a8b1a6c1 neigh: fix possible DoS due to net iface start/stop loop\u003Cbr\u003E67a9ed9355af mm/hugetlb: fix hugetlb not supporting softdirty tracking\u003Cbr\u003E3d014e93c17f asm-generic: sections: refactor memory_intersects\u003Cbr\u003Eba3f75d02acb loop: Check for overflow while configuring loop\u003Cbr\u003Ec608e2949f1c net: Fix a data-race around sysctl_somaxconn.\u003Cbr\u003E87b0a8b806c8 net: Fix a data-race around netdev_budget_usecs.\u003Cbr\u003Ef9c68f466bd4 net: Fix a data-race around netdev_budget.\u003Cbr\u003E094eb9a6fd0f net: Fix a data-race around sysctl_net_busy_read.\u003Cbr\u003E80413eaa8949 net: Fix a data-race around sysctl_net_busy_poll.\u003Cbr\u003E8b6ba6cf24c0 net: Fix a data-race around sysctl_tstamp_allow_data.\u003Cbr\u003Ea9f4046631ce ratelimit: Fix data-races in ___ratelimit().\u003Cbr\u003E0326f227350b net: Fix data-races around netdev_tstamp_prequeue.\u003Cbr\u003E5088437d569e net: Fix data-races around weight_p and dev_weight_[rt]x_bias.\u003Cbr\u003E6fd5f93e3928 net: ipvtap - add __init/__exit annotations to module init/exit funcs\u003Cbr\u003E443b3d8b215d bonding: 802.3ad: fix no transmission of LACPDUs\u003Cbr\u003E48c23b3c1939 xfrm: fix refcount leak in __xfrm_policy_check()\u003Cbr\u003E5985e603bc20 audit: fix potential double free on error path from fsnotify_add_inode_mark\u003Cbr\u003E4fd2314769c1 dm: return early from dm_pr_call() if DM device is suspended\u003Cbr\u003E092f82857702 NFSv4: Fix races in the legacy idmapper upcall\u003Cbr\u003E |\r\n\r\n# 2CVE\r\n-------\r\n\r\n| CVE | issue |\r\n|:---:|:-----:|\r\n| CVE-2022-20421 | #I5U713 |\r\n| CVE-2022-20422 | #I5U71M |\r\n| CVE-2022-41850 | #I5U1PE |\r\n| CVE-2022-42703 | #I5USOP |\r\n","author":{"name":"Qiuuuuu","username":"qiuuuuu","path":"/qiuuuuu","avatar_url":"no_portrait.png#Qiuuuuu-qiuuuuu"},"attach_files":[],"zip_download_url":"/openeuler/kernel/releases/tag/4.19.90-2210.3.0.zip","tar_download_url":"/openeuler/kernel/releases/tag/4.19.90-2210.3.0.tar.gz"}}}