Уязвимость CVE-2022-3176: Информация

Описание

There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659

Важность: HIGH (7,8) Вектор: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Исправленные пакеты

Ссылки на рекомендации, решения и инструменты

1. Подверженные конфигурации:

   1. Конфигурация 1

      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

      Start including

      5.1

      End excliding

      5.4.212

      ---

      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

      Start including

      5.5

      End excliding

      5.10.141

      ---

      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

      Start including

      5.11

      End excliding

      5.15.65

      ---

      cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

      Start including

      5.16

      End excliding

      5.17

      ---

      Конфигурация 2

      cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

      ---