Bug 2060795 (CVE-2022-0847)

Summary: CVE-2022-0847 kernel: improper initialization of the "flags" member of the new pipe_buffer
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, asavkov, aviro, berend.de.schouwer, bhu, brdeoliv, bskeggs, chwhite, cperry, crwood, ctoe, dbohanno, dhoward, dhowells, dvlasenk, esandeen, fedoraproject, fhrbata, fpacheco, gferrazs, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jpoimboe, jshortt, jstancek, jthierry, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, kfujii, kpatch-maint, kyoshida, lgoncalv, linville, lzampier, masami256, matthew.lesieur, mcascell, mchehab, michael.n.nhan, michal.skrivanek, mperina, nmurray, nobody, ptalbert, qzhao, rhandlin, rvrbovsk, sbonazzo, scweaver, security-response-team, steved, swhiteho, t.h.amundsen, tim, vkumar, walters, williams, ycote, ymittal, yozone, zulinx86
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.17-rc6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-14 13:46:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2060869, 2060870, 2060871, 2060872, 2060873, 2060874, 2060875, 2060876, 2060877, 2060878, 2060879, 2060880, 2060881, 2060882, 2060883, 2060884, 2060914, 2060915, 2061342, 2061454, 2061694, 2065545    
Bug Blocks: 2060057, 2060652    

Description Rohit Keshri 2022-03-04 10:03:53 UTC 
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

Upstream patch:

  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/lib/iov_iter.c?id=9d2231c5d74e13b2a0546fee6737ee4446017903
Comment 8 Petr Matousek 2022-03-07 09:37:50 UTC 
Upstream commit:

  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/lib/iov_iter.c?id=9d2231c5d74e13b2a0546fee6737ee4446017903
Comment 12 Marian Rehak 2022-03-07 15:43:25 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2061454]
Comment 15 Sandro Bonazzola 2022-03-08 10:52:44 UTC 
Created oVirt Node tracking bugs for this issue:

Affects: oVirt 4.4 [bug 2061694]
Comment 16 Justin M. Forbes 2022-03-08 16:21:27 UTC 
This was fixed for Fedora in the 5.16.11 stable kernel update.
Comment 17 errata-xmlrpc 2022-03-10 15:04:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0819 https://access.redhat.com/errata/RHSA-2022:0819
Comment 18 errata-xmlrpc 2022-03-10 15:13:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0821 https://access.redhat.com/errata/RHSA-2022:0821
Comment 19 errata-xmlrpc 2022-03-10 15:32:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0823 https://access.redhat.com/errata/RHSA-2022:0823
Comment 20 errata-xmlrpc 2022-03-10 15:32:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0822 https://access.redhat.com/errata/RHSA-2022:0822
Comment 21 errata-xmlrpc 2022-03-10 15:54:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0820 https://access.redhat.com/errata/RHSA-2022:0820
Comment 22 errata-xmlrpc 2022-03-10 16:16:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0825 https://access.redhat.com/errata/RHSA-2022:0825
Comment 23 errata-xmlrpc 2022-03-10 16:29:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0831 https://access.redhat.com/errata/RHSA-2022:0831
Comment 25 errata-xmlrpc 2022-03-14 09:23:26 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:0841 https://access.redhat.com/errata/RHSA-2022:0841
Comment 26 Product Security DevOps Team 2022-03-14 13:46:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0847
Comment 27 Sandro Bonazzola 2022-03-18 07:37:44 UTC 
Created CentOS Stream 8 tracking bugs for this issue:

Affects: CentOS Stream 8 [bug 2065545]