A race condition was found in the Linux kernel's watch queue due to a missing lock in pipe_resize_ring(). The race condition may happen when thread (A) uses ioctl(IOC_WATCH_QUEUE_SET_SIZE) to resize the pipe buffer and free the old pipe buffer, while another thread (B) uses keyctl() to trigger a notification in the watch queue, calling post_one_notification() and accessing the freed pipe buffer. ZDI advisory: https://www.zerodayinitiative.com/advisories/ZDI-22-1165/ Upstream fix: https://github.com/torvalds/linux/commit/189b0ddc245139af81198d1a3637cac74f96e13a
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2022:8973 https://access.redhat.com/errata/RHSA-2022:8973
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2022:8974 https://access.redhat.com/errata/RHSA-2022:8974
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2022:9082 https://access.redhat.com/errata/RHSA-2022:9082
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0300 https://access.redhat.com/errata/RHSA-2023:0300
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0334 https://access.redhat.com/errata/RHSA-2023:0334
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0348 https://access.redhat.com/errata/RHSA-2023:0348
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-2959
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days