Bug 2044809 (CVE-2022-22942) - CVE-2022-22942 kernel: failing usercopy allows for use-after-free exploitation
Summary: CVE-2022-22942 kernel: failing usercopy allows for use-after-free exploitation
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-22942
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2047593 2047594 2047595 2047596 2047597 2047598 2047599 2047600 2047601 2047602 2047603 2047604 2047605 2047606 2047607 2047608 2047609 2047610 2047611 2047612 2047613 2047614 2047615 2047616 2047617 2047618 2047619 2047620 2050116 2050117 2055098 2056599
Blocks: 2044792
TreeView+ depends on / blocked
 
Reported: 2022-01-25 09:07 UTC by Marian Rehak
Modified: 2022-05-17 09:02 UTC (History)
59 users (show)

Fixed In Version: Kernel 5.16
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s vmw_execbuf_copy_fence_user function in drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c in vmwgfx. This flaw allows a local attacker with user privileges to cause a privilege escalation problem.
Clone Of:
Environment:
Last Closed: 2022-05-11 15:46:51 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:0679 0 None None None 2022-02-24 20:40:58 UTC
Red Hat Product Errata RHBA-2022:0690 0 None None None 2022-02-28 14:16:47 UTC
Red Hat Product Errata RHBA-2022:0740 0 None None None 2022-03-03 15:58:32 UTC
Red Hat Product Errata RHBA-2022:1282 0 None None None 2022-04-08 13:26:52 UTC
Red Hat Product Errata RHSA-2022:0592 0 None None None 2022-02-22 09:12:45 UTC
Red Hat Product Errata RHSA-2022:0620 0 None None None 2022-02-22 16:58:31 UTC
Red Hat Product Errata RHSA-2022:0622 0 None None None 2022-02-22 17:01:10 UTC
Red Hat Product Errata RHSA-2022:0771 0 None None None 2022-03-08 15:04:35 UTC
Red Hat Product Errata RHSA-2022:0772 0 None None None 2022-03-08 15:55:40 UTC
Red Hat Product Errata RHSA-2022:0777 0 None None None 2022-03-08 17:50:57 UTC
Red Hat Product Errata RHSA-2022:0819 0 None None None 2022-03-10 15:04:28 UTC
Red Hat Product Errata RHSA-2022:0820 0 None None None 2022-03-10 15:54:35 UTC
Red Hat Product Errata RHSA-2022:0821 0 None None None 2022-03-10 15:13:38 UTC
Red Hat Product Errata RHSA-2022:0823 0 None None None 2022-03-10 15:32:10 UTC
Red Hat Product Errata RHSA-2022:0825 0 None None None 2022-03-10 16:15:48 UTC
Red Hat Product Errata RHSA-2022:0841 0 None None None 2022-03-14 09:23:07 UTC
Red Hat Product Errata RHSA-2022:0849 0 None None None 2022-03-14 10:48:45 UTC
Red Hat Product Errata RHSA-2022:0851 0 None None None 2022-03-14 10:19:47 UTC
Red Hat Product Errata RHSA-2022:0925 0 None None None 2022-03-15 13:36:56 UTC
Red Hat Product Errata RHSA-2022:0958 0 None None None 2022-03-17 16:28:17 UTC
Red Hat Product Errata RHSA-2022:1103 0 None None None 2022-03-29 09:07:29 UTC
Red Hat Product Errata RHSA-2022:1107 0 None Closed [ RHCS 5] Can't configure the Prometheus port for the RHCS 5 monitoring stack with cephadm 2022-04-26 12:55:23 UTC
Red Hat Product Errata RHSA-2022:1263 0 None None None 2022-04-07 09:03:27 UTC
Red Hat Product Errata RHSA-2022:1324 0 None None None 2022-04-12 15:37:23 UTC
Red Hat Product Errata RHSA-2022:1373 0 None None None 2022-04-13 19:58:54 UTC

Description Marian Rehak 2022-01-25 09:07:05 UTC 
A failing usercopy of the fence_rep object will lead to a stale entry in the file descriptor table as put_unused_fd() won't release it. This enables userland to refer to a dangling 'file' object through that still valid file descriptor, leading to all kinds of use-after-free exploitation scenarios.
Comment 11 Sandro Bonazzola 2022-02-16 09:55:31 UTC 
Created oVirt tracking bug for this issue:

Affects: oVirt Node 4.4 [ bug #2055098 ]
Comment 13 errata-xmlrpc 2022-02-22 09:12:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0592 https://access.redhat.com/errata/RHSA-2022:0592
Comment 14 errata-xmlrpc 2022-02-22 16:58:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0620 https://access.redhat.com/errata/RHSA-2022:0620
Comment 15 errata-xmlrpc 2022-02-22 17:01:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:0622 https://access.redhat.com/errata/RHSA-2022:0622
Comment 16 errata-xmlrpc 2022-03-08 15:04:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0771 https://access.redhat.com/errata/RHSA-2022:0771
Comment 17 errata-xmlrpc 2022-03-08 15:55:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0772 https://access.redhat.com/errata/RHSA-2022:0772
Comment 18 errata-xmlrpc 2022-03-08 17:50:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0777 https://access.redhat.com/errata/RHSA-2022:0777
Comment 19 errata-xmlrpc 2022-03-10 15:04:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0819 https://access.redhat.com/errata/RHSA-2022:0819
Comment 20 errata-xmlrpc 2022-03-10 15:13:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0821 https://access.redhat.com/errata/RHSA-2022:0821
Comment 21 errata-xmlrpc 2022-03-10 15:32:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0823 https://access.redhat.com/errata/RHSA-2022:0823
Comment 22 errata-xmlrpc 2022-03-10 15:54:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0820 https://access.redhat.com/errata/RHSA-2022:0820
Comment 23 errata-xmlrpc 2022-03-10 16:15:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0825 https://access.redhat.com/errata/RHSA-2022:0825
Comment 24 errata-xmlrpc 2022-03-14 09:23:03 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:0841 https://access.redhat.com/errata/RHSA-2022:0841
Comment 25 errata-xmlrpc 2022-03-14 10:19:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0851 https://access.redhat.com/errata/RHSA-2022:0851
Comment 26 errata-xmlrpc 2022-03-14 10:48:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0849 https://access.redhat.com/errata/RHSA-2022:0849
Comment 27 errata-xmlrpc 2022-03-15 13:36:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0925 https://access.redhat.com/errata/RHSA-2022:0925
Comment 28 errata-xmlrpc 2022-03-17 16:28:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:0958 https://access.redhat.com/errata/RHSA-2022:0958
Comment 29 errata-xmlrpc 2022-03-29 09:07:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2022:1103 https://access.redhat.com/errata/RHSA-2022:1103
Comment 30 errata-xmlrpc 2022-03-29 09:54:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:1107 https://access.redhat.com/errata/RHSA-2022:1107
Comment 32 errata-xmlrpc 2022-04-07 09:03:23 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2022:1263 https://access.redhat.com/errata/RHSA-2022:1263
Comment 33 errata-xmlrpc 2022-04-12 15:37:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:1324 https://access.redhat.com/errata/RHSA-2022:1324
Comment 34 errata-xmlrpc 2022-04-13 19:58:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2022:1373 https://access.redhat.com/errata/RHSA-2022:1373
Comment 35 Product Security DevOps Team 2022-05-11 15:46:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-22942
Note You need to log in before you can comment on or make changes to this bug.