Bug 2063786 (CVE-2022-0995)

Summary: CVE-2022-0995 kernel: kernel bug in the watch_queue subsystem
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, michal.skrivanek, mperina, nmurray, ptalbert, qzhao, rkeshri, roxabee, rvrbovsk, sbonazzo, scweaver, security-response-team, steved, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.17 rc8 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds (OOB) memory write flaw was found in the Linux kernel’s watch_queue event notification subsystem. This flaw can overwrite parts of the kernel state, potentially allowing a local user to gain privileged access or cause a denial of service on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 12:17:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2063758, 2064545, 2064546, 2064547, 2064548, 2064549    
Bug Blocks: 2063781, 2064720    

Description Sandipan Roy 2022-03-14 11:43:23 UTC 
The watch_queue event notification subsystem in the kernel has a couple of out of bounds writes that can be triggered by any user.  These can be used to overwrite parts of the kernel state, potentially allowing the user to gain privileged access to or panic the system.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93ce93587d36493f2f86921fa79921b3cba63fbb
Comment 3 Rohit Keshri 2022-03-16 07:14:16 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2064549]
Comment 9 Product Security DevOps Team 2022-05-17 12:16:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0995
Comment 10 Roxana Bradescu 2022-09-16 05:14:08 UTC 
Was just looking at CVE-2022-0995 and noticed that the CVSS vector on the Red Hat site is correct CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H but it is wrong in NVD CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
It's a High severity vulnerability either way but we feel that making sure that everyone realizes the impact includes Integrity is important. Is there a way that Red Hat can push an update to NVD? Thanks!!
Comment 11 Rohit Keshri 2023-01-25 05:40:27 UTC 
Thank you, CVSS was corrected on the NVD.