Bug 2155840 (CVE-2022-47946)

Summary: CVE-2022-47946 Linux kernel: use-after-free in io_sqpoll_wait_sq
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, bskeggs, chwhite, crwood, ddepaula, debarbos, dfreiber, dhoward, dvlasenk, ezulian, fhrbata, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, josef, jshortt, jstancek, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lleshchi, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rogbas, rvrbovsk, scweaver, steved, tyberry, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-27 13:48:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2156539, 2156540    
Bug Blocks: 2155842    

Description Sage McTaggart 2022-12-22 15:14:32 UTC 
An issue was discovered in the Linux kernel 5.10.x before 5.10.155. A use-after-free in io_sqpoll_wait_sq in fs/io_uring.c allows an attacker to crash the kernel, resulting in denial of service. finish_wait can be skipped. An attack can occur in some situations by forking a process and then quickly terminating it. NOTE: later kernel versions, such as the 5.15 longterm series, substantially changed the implementation of io_sqpoll_wait_sq.

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.161&id=0f544353fec8e717d37724d95b92538e1de79e86
https://www.openwall.com/lists/oss-security/2022/12/22/2
Comment 2 Alex 2022-12-27 12:13:08 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-36 [bug 2156539]
Affects: fedora-37 [bug 2156540]
Comment 4 Justin M. Forbes 2022-12-31 15:48:58 UTC 
(In reply to Alex from comment #2)
> Created kernel tracking bugs for this issue:
> 
> Affects: fedora-36 [bug 2156539]
> Affects: fedora-37 [bug 2156540]

We typically create a single Fedora tracking bug which covers all releases. As I keep all Fedora releases on the same kernel version, maintained out of the same source tree, it either impacts all or none, and updates are filed at the same time for all releases.
Comment 5 Justin M. Forbes 2022-12-31 15:53:45 UTC 
This was fixed for Fedora with the 5.12 kernel rebases.