CVE-2022-1011: Use After Free
First published: Mon Mar 07 2022(Updated: )
A flaw in the Linux Kernel found. If unprivileged users can mount FUSE filesystems, then can trigger use after free (UAF) that reads of write() buffers, allowing theft of (partial) /etc/shadow hashes or any other data from filesystem. FUSE allows the userspace filesystem to specify on FUSE_OPEN whether the file should use the normal kernel pagecache for handling read()/write() or just send FUSE_READ/FUSE_WRITE requests directly to the userspace filesystem (using the flag FOPEN_DIRECT_IO in fuse_open_out::open_flags). In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then imports the write buffer with fuse_get_user_pages(), which uses iov_iter_get_pages() to grab references to userspace pages instead of actually copying memory. On the filesystem device side, these pages can then either be read to userspace (via fuse_dev_read()), or splice()d over into a pipe using fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops. This is wrong because after fuse_dev_do_read() unlocks the FUSE request, the userspace filesystem can mark the request as completed, causing write() to return. At that point, the write buffer may be reused for other purposes, and the userspace filesystem should no longer have access to it.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:4.18.0-372.9.1.rt7.166.el8 | 0:4.18.0-372.9.1.rt7.166.el8 |
| redhat/kernel | <0:4.18.0-372.9.1.el8 | 0:4.18.0-372.9.1.el8 |
| Linux Linux kernel | <5.17 | |
| Linux Linux kernel | =5.17 | |
| Linux Linux kernel | =5.17-rc1 | |
| Linux Linux kernel | =5.17-rc2 | |
| Linux Linux kernel | =5.17-rc3 | |
| Linux Linux kernel | =5.17-rc4 | |
| Linux Linux kernel | =5.17-rc7 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Redhat Build Of Quarkus | =2.0 | |
| Redhat Developer Tools | =1.0 | |
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux Eus | =8.6 | |
| Redhat Enterprise Linux For Ibm Z Systems | =8.0 | |
| Redhat Enterprise Linux For Ibm Z Systems Eus | =8.6 | |
| Redhat Enterprise Linux For Power Little Endian | =8.0 | |
| Redhat Enterprise Linux For Power Little Endian Eus | =8.6 | |
| Redhat Enterprise Linux For Real Time | =8 | |
| Redhat Enterprise Linux For Real Time For Nfv | =8 | |
| Redhat Enterprise Linux For Real Time For Nfv Tus | =8.6 | |
| Redhat Enterprise Linux For Real Time Tus | =8.6 | |
| Redhat Enterprise Linux Server Aus | =8.6 | |
| Redhat Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions | =8.6 | |
| Redhat Enterprise Linux Server Tus | =8.6 | |
| Redhat Enterprise Linux Server Update Services For Sap Solutions | =8.6 | |
| Redhat Virtualization Host | =4.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Codeready Linux Builder | ||
| Redhat Enterprise Linux | =8.6 | |
| Redhat Enterprise Linux Eus | =8.6 | |
| Redhat Enterprise Linux For Power Little Endian | =8.0 | |
| Redhat Enterprise Linux For Power Little Endian Eus | =8.6 | |
| Apple macOS Ventura | ||
| Apple macOS Big Sur | ||
| Apple macOS Big Sur | ||
| Apple macOS Ventura | ||
| Apple macOS Big Sur | ||
| Apple macOS Monterey | ||
| Netapp H300e Firmware | ||
| Netapp H300e | ||
| Netapp H500e Firmware | ||
| Netapp H500e | ||
| Netapp H700e Firmware | ||
| Netapp H700e | ||
| Apple macOS Monterey | ||
| Apple macOS Monterey | ||
| Netapp H410c Firmware | ||
| Netapp H410c | ||
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Oracle Communications Cloud Native Core Binding Support Function | =22.1.3 | |
| ubuntu/linux | <4.15.0-189.200 | 4.15.0-189.200 |
| ubuntu/linux | <5.4.0-117.132 | 5.4.0-117.132 |
| ubuntu/linux | <5.17~ | 5.17~ |
| ubuntu/linux-aws | <4.15.0-1137.148 | 4.15.0-1137.148 |
| ubuntu/linux-aws | <5.4.0-1078.84 | 5.4.0-1078.84 |
| ubuntu/linux-aws | <5.17~ | 5.17~ |
| ubuntu/linux-aws-5.0 | <5.17~ | 5.17~ |
| ubuntu/linux-aws-5.11 | <5.17~ | 5.17~ |
| ubuntu/linux-aws-5.13 | <5.17~ | 5.17~ |
| ubuntu/linux-aws-5.3 | <5.17~ | 5.17~ |
| ubuntu/linux-aws-5.4 | <5.17~ | 5.17~ |
| ubuntu/linux-aws-5.4 | <5.4.0-1078.84~18.04.1 | 5.4.0-1078.84~18.04.1 |
| ubuntu/linux-aws-5.8 | <5.17~ | 5.17~ |
| ubuntu/linux-aws-hwe | <4.15.0-1137.148~16.04.1 | 4.15.0-1137.148~16.04.1 |
| ubuntu/linux-aws-hwe | <5.17~ | 5.17~ |
| ubuntu/linux-azure | <5.4.0-1083.87 | 5.4.0-1083.87 |
| ubuntu/linux-azure | <4.15.0-1146.161~14.04.1 | 4.15.0-1146.161~14.04.1 |
| ubuntu/linux-azure | <4.15.0-1146.161~16.04.1 | 4.15.0-1146.161~16.04.1 |
| ubuntu/linux-azure | <5.17~ | 5.17~ |
| ubuntu/linux-azure-4.15 | <4.15.0-1146.161 | 4.15.0-1146.161 |
| ubuntu/linux-azure-4.15 | <5.17~ | 5.17~ |
| ubuntu/linux-azure-5.11 | <5.17~ | 5.17~ |
| ubuntu/linux-azure-5.13 | <5.17~ | 5.17~ |
| ubuntu/linux-azure-5.3 | <5.17~ | 5.17~ |
| ubuntu/linux-azure-5.4 | <5.4.0-1083.87~18.04.1 | 5.4.0-1083.87~18.04.1 |
| ubuntu/linux-azure-5.4 | <5.17~ | 5.17~ |
| ubuntu/linux-azure-edge | <5.17~ | 5.17~ |
| ubuntu/linux-azure-fde | <5.4.0-1083.87 | 5.4.0-1083.87 |
| ubuntu/linux-azure-fde | <5.17~ | 5.17~ |
| ubuntu/linux-bluefield | <5.4.0-1040.44 | 5.4.0-1040.44 |
| ubuntu/linux-bluefield | <5.17~ | 5.17~ |
| ubuntu/linux-dell300x | <4.15.0-1049.54 | 4.15.0-1049.54 |
| ubuntu/linux-dell300x | <5.17~ | 5.17~ |
| ubuntu/linux-fips | <5.17~ | 5.17~ |
| ubuntu/linux-gcp | <5.17~ | 5.17~ |
| ubuntu/linux-gcp | <5.4.0-1078.84 | 5.4.0-1078.84 |
| ubuntu/linux-gcp | <4.15.0-1131.147~16.04.1 | 4.15.0-1131.147~16.04.1 |
| ubuntu/linux-gcp-4.15 | <4.15.0-1131.147 | 4.15.0-1131.147 |
| ubuntu/linux-gcp-4.15 | <5.17~ | 5.17~ |
| ubuntu/linux-gcp-5.11 | <5.17~ | 5.17~ |
| ubuntu/linux-gcp-5.13 | <5.17~ | 5.17~ |
| ubuntu/linux-gcp-5.3 | <5.17~ | 5.17~ |
| ubuntu/linux-gcp-5.4 | <5.4.0-1078.84~18.04.1 | 5.4.0-1078.84~18.04.1 |
| ubuntu/linux-gcp-5.8 | <5.17~ | 5.17~ |
| ubuntu/linux-gke | <5.4.0-1074.79 | 5.4.0-1074.79 |
| ubuntu/linux-gke | <5.17~ | 5.17~ |
| ubuntu/linux-gke-4.15 | <5.17~ | 5.17~ |
| ubuntu/linux-gke-5.0 | <5.17~ | 5.17~ |
| ubuntu/linux-gke-5.3 | <5.17~ | 5.17~ |
| ubuntu/linux-gke-5.4 | <5.4.0-1074.79~18.04.1 | 5.4.0-1074.79~18.04.1 |
| ubuntu/linux-gke-5.4 | <5.17~ | 5.17~ |
| ubuntu/linux-gkeop | <5.17~ | 5.17~ |
| ubuntu/linux-gkeop | <5.4.0-1046.48 | 5.4.0-1046.48 |
| ubuntu/linux-gkeop-5.4 | <5.4.0-1046.48~18.04.1 | 5.4.0-1046.48~18.04.1 |
| ubuntu/linux-gkeop-5.4 | <5.17~ | 5.17~ |
| ubuntu/linux-hwe | <5.17~ | 5.17~ |
| ubuntu/linux-hwe | <4.15.0-189.200~16.04.1 | 4.15.0-189.200~16.04.1 |
| ubuntu/linux-hwe-5.11 | <5.17~ | 5.17~ |
| ubuntu/linux-hwe-5.13 | <5.17~ | 5.17~ |
| ubuntu/linux-hwe-5.15 | <5.17~ | 5.17~ |
| ubuntu/linux-hwe-5.4 | <5.4.0-117.132~18.04.1 | 5.4.0-117.132~18.04.1 |
| ubuntu/linux-hwe-5.4 | <5.17~ | 5.17~ |
| ubuntu/linux-hwe-5.8 | <5.17~ | 5.17~ |
| ubuntu/linux-hwe-edge | <5.17~ | 5.17~ |
| ubuntu/linux-ibm | <5.17~ | 5.17~ |
| ubuntu/linux-ibm | <5.4.0-1026.29 | 5.4.0-1026.29 |
| ubuntu/linux-ibm-5.4 | <5.17~ | 5.17~ |
| ubuntu/linux-ibm-5.4 | <5.4.0-1028.32~18.04.1 | 5.4.0-1028.32~18.04.1 |
| ubuntu/linux-intel-5.13 | <5.17~ | 5.17~ |
| ubuntu/linux-intel-iotg | <5.17~ | 5.17~ |
| ubuntu/linux-intel-iotg-5.15 | <5.15.0-1008.11~20.04.1 | 5.15.0-1008.11~20.04.1 |
| ubuntu/linux-intel-iotg-5.15 | <5.17~ | 5.17~ |
| ubuntu/linux-kvm | <4.15.0-1123.128 | 4.15.0-1123.128 |
| ubuntu/linux-kvm | <5.17~ | 5.17~ |
| ubuntu/linux-kvm | <5.4.0-1068.72 | 5.4.0-1068.72 |
| ubuntu/linux-lowlatency | <5.17~ | 5.17~ |
| ubuntu/linux-lowlatency-hwe-5.15 | <5.17~ | 5.17~ |
| ubuntu/linux-lts-xenial | <5.17~ | 5.17~ |
| ubuntu/linux-oem | <5.17~ | 5.17~ |
| ubuntu/linux-oem-5.10 | <5.17~ | 5.17~ |
| ubuntu/linux-oem-5.13 | <5.17~ | 5.17~ |
| ubuntu/linux-oem-5.14 | <5.14.0-1033.36 | 5.14.0-1033.36 |
| ubuntu/linux-oem-5.17 | <5.17~ | 5.17~ |
| ubuntu/linux-oem-5.6 | <5.17~ | 5.17~ |
| ubuntu/linux-oem-osp1 | <5.17~ | 5.17~ |
| ubuntu/linux-oracle | <5.17~ | 5.17~ |
| ubuntu/linux-oracle | <4.15.0-1102.113~16.04.1 | 4.15.0-1102.113~16.04.1 |
| ubuntu/linux-oracle | <4.15.0-1102.113 | 4.15.0-1102.113 |
| ubuntu/linux-oracle | <5.4.0-1076.83 | 5.4.0-1076.83 |
| ubuntu/linux-oracle-5.0 | <5.17~ | 5.17~ |
| ubuntu/linux-oracle-5.11 | <5.17~ | 5.17~ |
| ubuntu/linux-oracle-5.13 | <5.17~ | 5.17~ |
| ubuntu/linux-oracle-5.3 | <5.17~ | 5.17~ |
| ubuntu/linux-oracle-5.4 | <5.4.0-1076.83~18.04.1 | 5.4.0-1076.83~18.04.1 |
| ubuntu/linux-raspi | <5.4.0-1065.75 | 5.4.0-1065.75 |
| ubuntu/linux-raspi | <5.17~ | 5.17~ |
| ubuntu/linux-raspi-5.4 | <5.4.0-1065.75~18.04.1 | 5.4.0-1065.75~18.04.1 |
| ubuntu/linux-raspi-5.4 | <5.17~ | 5.17~ |
| ubuntu/linux-raspi2 | <4.15.0-1115.123 | 4.15.0-1115.123 |
| ubuntu/linux-raspi2 | <5.17~ | 5.17~ |
| ubuntu/linux-raspi2-5.3 | <5.17~ | 5.17~ |
| ubuntu/linux-riscv | <5.17~ | 5.17~ |
| ubuntu/linux-riscv-5.11 | <5.17~ | 5.17~ |
| ubuntu/linux-riscv-5.8 | <5.17~ | 5.17~ |
| ubuntu/linux-snapdragon | <4.15.0-1133.143 | 4.15.0-1133.143 |
| ubuntu/linux-snapdragon | <5.17~ | 5.17~ |
| All of | ||
| Redhat Virtualization Host | =4.0 | |
| Redhat Enterprise Linux | =8.0 | |
| All of | ||
| Redhat Codeready Linux Builder | ||
| Any of | ||
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =8.6 | |
| Redhat Enterprise Linux Eus | =8.6 | |
| Redhat Enterprise Linux For Power Little Endian | =8.0 | |
| Redhat Enterprise Linux For Power Little Endian Eus | =8.6 | |
| All of | ||
| Apple macOS Ventura | ||
| Apple macOS Big Sur | ||
| All of | ||
| Apple macOS Big Sur | ||
| Apple macOS Ventura | ||
| All of | ||
| Apple macOS Big Sur | ||
| Apple macOS Monterey | ||
| All of | ||
| Netapp H300e Firmware | ||
| Netapp H300e | ||
| All of | ||
| Netapp H500e Firmware | ||
| Netapp H500e | ||
| All of | ||
| Netapp H700e Firmware | ||
| Netapp H700e | ||
| All of | ||
| Apple macOS Monterey | ||
| Apple macOS Monterey | ||
| All of | ||
| Netapp H410c Firmware | ||
| Netapp H410c | ||
| redhat/Linux kernel | <5.16 | 5.16 |
| debian/linux | 4.19.249-2 4.19.304-1 5.10.197-1 5.10.205-2 6.1.66-1 6.1.69-1 6.6.13-1 6.6.15-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git/commit/?h=for-next
- https://bugzilla.redhat.com/show_bug.cgi?id=2064855
- https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html
- https://www.debian.org/security/2022/dsa-5173
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://launchpad.net/bugs/cve/CVE-2022-1011
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2065331
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2082384
- https://access.redhat.com/errata/RHSA-2022:1975
- https://access.redhat.com/errata/RHSA-2022:1988
- https://access.redhat.com/security/cve/cve-2022-1011
- https://www.cve.org/CVERecord?id=CVE-2022-1011 https://nvd.nist.gov/vuln/detail/CVE-2022-1011 https://lore.kernel.org/lkml/20220414110839.241541230@linuxfoundation.org/
- https://git.kernel.org/linus/0c4bcfdecb1ac0967619ee7ff44871d93c08c909
- https://security-tracker.debian.org/tracker/CVE-2022-1011
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1011
- https://git.kernel.org/linus/0c4bcfdecb1ac0967619ee7ff44871d93c08c909 (5.17-rc8)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BG4J46EMFPDD5QHYXDUI3PJCZQ7HQAZR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C5AUUDGSDLGYU7SZSK4PFAN22NISQZBT/
- https://ubuntu.com/security/notices/USN-5381-1
- https://ubuntu.com/security/notices/USN-5467-1
- https://ubuntu.com/security/notices/USN-5515-1
- https://ubuntu.com/security/notices/USN-5541-1
- https://nvd.nist.gov/vuln/detail/CVE-2022-1011
- https://git.kernel.org/linus/c3021629a0d820247ee12b6c5192a1d5380e21c6
- https://ubuntu.com/security/CVE-2022-1011
Parent vulnerabilities
(Appears in the following advisories)
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-1011
- collector/redhat-cve
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/5.17
- version/linux linux kernel/5.17-rc1
- version/linux linux kernel/5.17-rc2
- version/linux linux kernel/5.17-rc3
- version/linux linux kernel/5.17-rc4
- version/linux linux kernel/5.17-rc7
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/redhat
- canonical/redhat build of quarkus
- version/redhat build of quarkus/2.0
- canonical/redhat developer tools
- version/redhat developer tools/1.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/6.0
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/8.6
- canonical/redhat enterprise linux for ibm z systems
- version/redhat enterprise linux for ibm z systems/8.0
- canonical/redhat enterprise linux for ibm z systems eus
- version/redhat enterprise linux for ibm z systems eus/8.6
- canonical/redhat enterprise linux for power little endian
- version/redhat enterprise linux for power little endian/8.0
- canonical/redhat enterprise linux for power little endian eus
- version/redhat enterprise linux for power little endian eus/8.6
- canonical/redhat enterprise linux for real time
- version/redhat enterprise linux for real time/8
- canonical/redhat enterprise linux for real time for nfv
- version/redhat enterprise linux for real time for nfv/8
- canonical/redhat enterprise linux for real time for nfv tus
- version/redhat enterprise linux for real time for nfv tus/8.6
- canonical/redhat enterprise linux for real time tus
- version/redhat enterprise linux for real time tus/8.6
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/8.6
- canonical/redhat enterprise linux server for power little endian update services for sap solutions
- version/redhat enterprise linux server for power little endian update services for sap solutions/8.6
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/8.6
- canonical/redhat enterprise linux server update services for sap solutions
- version/redhat enterprise linux server update services for sap solutions/8.6
- canonical/redhat virtualization host
- version/redhat virtualization host/4.0
- canonical/redhat codeready linux builder
- version/redhat enterprise linux/8.6
- vendor/netapp
- canonical/apple macos ventura
- canonical/apple macos big sur
- canonical/apple macos monterey
- canonical/netapp h300e firmware
- canonical/netapp h300e
- canonical/netapp h500e firmware
- canonical/netapp h500e
- canonical/netapp h700e firmware
- canonical/netapp h700e
- canonical/netapp h410c firmware
- canonical/netapp h410c
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/oracle
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/22.1.3
- package-manager/redhat
- package-manager/debian
- package-manager/ubuntu