Race Condition Affecting kernel-64kb-devel package, versions <5.14.21-150400.24.133.2


Severity

Recommended
0.0
medium
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.04% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SLES154-KERNEL64KBDEVEL-8090298
  • published25 Sept 2024
  • disclosed24 Sept 2024

Introduced: 24 Sep 2024

CVE-2022-48931  (opens in a new tab)
CWE-362  (opens in a new tab)

How to fix?

Upgrade SLES:15.4 kernel-64kb-devel to version 5.14.21-150400.24.133.2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-64kb-devel package and not the kernel-64kb-devel package as distributed by SLES. See How to fix? for SLES:15.4 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

configfs: fix a race in configfs_{,un}register_subsystem()

When configfs_register_subsystem() or configfs_unregister_subsystem() is executing link_group() or unlink_group(), it is possible that two processes add or delete list concurrently. Some unfortunate interleavings of them can cause kernel panic.

One of cases is: A --> B --> C --> D A <-- B <-- C <-- D

 delete list_head *B        |      delete list_head *C

--------------------------------|----------------------------------- configfs_unregister_subsystem | configfs_unregister_subsystem unlink_group | unlink_group unlink_obj | unlink_obj list_del_init | list_del_init __list_del_entry | __list_del_entry __list_del | __list_del // next == C | next->prev = prev | | next->prev = prev prev->next = next | | // prev == B | prev->next = next

Fix this by adding mutex when calling link_group() or unlink_group(), but parent configfs_subsystem is NULL when config_item is root. So I create a mutex configfs_subsystem_mutex.

CVSS Scores

version 3.1