{ "id": "CVE-2022-49080", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-02-26T07:00:45.347", "lastModified": "2025-02-26T07:00:45.347", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempolicy: fix mpol_new leak in shared_policy_replace\n\nIf mpol_new is allocated but not used in restart loop, mpol_new will be\nfreed via mpol_put before returning to the caller. But refcnt is not\ninitialized yet, so mpol_put could not do the right things and might\nleak the unused mpol_new. This would happen if mempolicy was updated on\nthe shared shmem file while the sp->lock has been dropped during the\nmemory allocation.\n\nThis issue could be triggered easily with the below code snippet if\nthere are many processes doing the below work at the same time:\n\n shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT);\n shm = shmat(shmid, 0, 0);\n loop many times {\n mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0);\n mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask,\n maxnode, 0);\n }" }, { "lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/mempolicy: arregla la fuga de mpol_new en shared_policy_replace Si mpol_new se asigna pero no se usa en el bucle de reinicio, mpol_new se liberar\u00e1 a trav\u00e9s de mpol_put antes de regresar al llamador. Pero refcnt a\u00fan no se ha inicializado, por lo que mpol_put no podr\u00eda hacer las cosas correctas y podr\u00eda filtrar el mpol_new no utilizado. Esto suceder\u00eda si mempolicy se actualizara en el archivo shmem compartido mientras se eliminaba sp->lock durante la asignaci\u00f3n de memoria. Este problema se podr\u00eda activar f\u00e1cilmente con el siguiente fragmento de c\u00f3digo si hay muchos procesos haciendo el siguiente trabajo al mismo tiempo: shmid = shmget((key_t)5566, 1024 * PAGE_SIZE, 0666|IPC_CREAT); shm = shmat(shmid, 0, 0); repetir muchas veces { mbind(shm, 1024 * PAGE_SIZE, MPOL_LOCAL, mask, maxnode, 0); mbind(shm + 128 * PAGE_SIZE, 128 * PAGE_SIZE, MPOL_DEFAULT, mask, maxnode, 0); }" } ], "metrics": {}, "references": [ { "url": "https://git.kernel.org/stable/c/198932a14aeb19a15cf19e51e151d023bc4cd648", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/25f506273b6ae806fd46bfcb6fdaa5b9ec81a05b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/39a32f3c06f6d68a530bf9612afa19f50f12e93d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/4ad099559b00ac01c3726e5c95dc3108ef47d03e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/5e16dc5378abd749a836daa9ee4ab2c8d2668999", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/6e00309ac716fa8225f0cbde2cd9c24f0e74ee21", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/8510c2346d9e47a72b7f018a36ef0c39483e53d6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/f7e183b0a7136b6dc9c7b9b2a85a608a8feba894", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/fe39ac59dbbf893b73b24e3184161d0bd06d6651", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" } ] }