Bug 2060795 (CVE-2022-0847) - CVE-2022-0847 kernel: improper initialization of the "flags" member of the new pipe_buffer
Summary: CVE-2022-0847 kernel: improper initialization of the "flags" member of the ne...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-0847
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2060869 2060870 2060871 2060872 2060873 2060874 2060875 2060876 2060877 2060878 2060879 2060880 2060881 2060882 2060883 2060884 2060914 2060915 2061342 2061454 2061694 2065545
Blocks: 2060057 2060652
TreeView+ depends on / blocked
 
Reported: 2022-03-04 10:03 UTC by Rohit Keshri
Modified: 2022-05-17 12:30 UTC (History)
78 users (show)

Fixed In Version: kernel 5.17-rc6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2022-03-14 13:46:38 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:1282 0 None None None 2022-04-08 13:26:59 UTC
Red Hat Product Errata RHSA-2022:0819 0 None None None 2022-03-10 15:04:46 UTC
Red Hat Product Errata RHSA-2022:0820 0 None None None 2022-03-10 15:54:47 UTC
Red Hat Product Errata RHSA-2022:0821 0 None None None 2022-03-10 15:14:04 UTC
Red Hat Product Errata RHSA-2022:0822 0 None None None 2022-03-10 15:32:48 UTC
Red Hat Product Errata RHSA-2022:0823 0 None None None 2022-03-10 15:32:31 UTC
Red Hat Product Errata RHSA-2022:0825 0 None None None 2022-03-10 16:16:13 UTC
Red Hat Product Errata RHSA-2022:0831 0 None None None 2022-03-10 16:29:27 UTC
Red Hat Product Errata RHSA-2022:0841 0 None None None 2022-03-14 09:23:32 UTC

Description Rohit Keshri 2022-03-04 10:03:53 UTC 
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

Upstream patch:

  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/lib/iov_iter.c?id=9d2231c5d74e13b2a0546fee6737ee4446017903
Comment 8 Petr Matousek 2022-03-07 09:37:50 UTC 
Upstream commit:

  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/lib/iov_iter.c?id=9d2231c5d74e13b2a0546fee6737ee4446017903
Comment 12 Marian Rehak 2022-03-07 15:43:25 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2061454]
Comment 15 Sandro Bonazzola 2022-03-08 10:52:44 UTC 
Created oVirt Node tracking bugs for this issue:

Affects: oVirt 4.4 [bug 2061694]
Comment 16 Justin M. Forbes 2022-03-08 16:21:27 UTC 
This was fixed for Fedora in the 5.16.11 stable kernel update.
Comment 17 errata-xmlrpc 2022-03-10 15:04:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0819 https://access.redhat.com/errata/RHSA-2022:0819
Comment 18 errata-xmlrpc 2022-03-10 15:13:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0821 https://access.redhat.com/errata/RHSA-2022:0821
Comment 19 errata-xmlrpc 2022-03-10 15:32:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0823 https://access.redhat.com/errata/RHSA-2022:0823
Comment 20 errata-xmlrpc 2022-03-10 15:32:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0822 https://access.redhat.com/errata/RHSA-2022:0822
Comment 21 errata-xmlrpc 2022-03-10 15:54:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0820 https://access.redhat.com/errata/RHSA-2022:0820
Comment 22 errata-xmlrpc 2022-03-10 16:16:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0825 https://access.redhat.com/errata/RHSA-2022:0825
Comment 23 errata-xmlrpc 2022-03-10 16:29:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0831 https://access.redhat.com/errata/RHSA-2022:0831
Comment 25 errata-xmlrpc 2022-03-14 09:23:26 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:0841 https://access.redhat.com/errata/RHSA-2022:0841
Comment 26 Product Security DevOps Team 2022-03-14 13:46:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0847
Comment 27 Sandro Bonazzola 2022-03-18 07:37:44 UTC 
Created CentOS Stream 8 tracking bugs for this issue:

Affects: CentOS Stream 8 [bug 2065545]
Note You need to log in before you can comment on or make changes to this bug.