CVE-2022-1011: Use After Free
First published: Mon Mar 07 2022(Updated: )
A flaw in the Linux Kernel found. If unprivileged users can mount FUSE filesystems, then can trigger use after free (UAF) that reads of write() buffers, allowing theft of (partial) /etc/shadow hashes or any other data from filesystem. FUSE allows the userspace filesystem to specify on FUSE_OPEN whether the file should use the normal kernel pagecache for handling read()/write() or just send FUSE_READ/FUSE_WRITE requests directly to the userspace filesystem (using the flag FOPEN_DIRECT_IO in fuse_open_out::open_flags). In FOPEN_DIRECT_IO mode, fuse_file_write_iter() calls fuse_direct_write_iter(), which normally calls fuse_direct_io(), which then imports the write buffer with fuse_get_user_pages(), which uses iov_iter_get_pages() to grab references to userspace pages instead of actually copying memory. On the filesystem device side, these pages can then either be read to userspace (via fuse_dev_read()), or splice()d over into a pipe using fuse_dev_splice_read() as pipe buffers with &nosteal_pipe_buf_ops. This is wrong because after fuse_dev_do_read() unlocks the FUSE request, the userspace filesystem can mark the request as completed, causing write() to return. At that point, the write buffer may be reused for other purposes, and the userspace filesystem should no longer have access to it.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:4.18.0-372.9.1.rt7.166.el8 | 0:4.18.0-372.9.1.rt7.166.el8 |
| redhat/kernel | <0:4.18.0-372.9.1.el8 | 0:4.18.0-372.9.1.el8 |
| redhat/Linux kernel | <5.16 | 5.16 |
| Linux Kernel | <5.17 | |
| Linux Kernel | =5.17 | |
| Linux Kernel | =5.17-rc1 | |
| Linux Kernel | =5.17-rc2 | |
| Linux Kernel | =5.17-rc3 | |
| Linux Kernel | =5.17-rc4 | |
| Linux Kernel | =5.17-rc7 | |
| Red Hat Fedora | =34 | |
| Red Hat Fedora | =35 | |
| Red Hat Quarkus | =2.0 | |
| Red Hat Developer Tools | =1.0 | |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux Server EUS | =8.6 | |
| Red Hat Enterprise Linux for IBM Z Systems | =8.0 | |
| Red Hat Enterprise Linux for IBM Z Systems (s390x) | =8.6 | |
| Red Hat Enterprise Linux for Power, little endian | =8.0 | |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =8.6 | |
| Red Hat Enterprise Linux for Real Time | =8 | |
| Red Hat Enterprise Linux for Real Time for NFV | =8 | |
| Red Hat Enterprise Linux for Real Time for NFV | =8.6 | |
| Red Hat Enterprise Linux for Real Time | =8.6 | |
| Red Hat Enterprise Linux Server | =8.6 | |
| Red Hat Enterprise Linux for SAP Applications for Power, little endian - Extended Update Support | =8.6 | |
| Red Hat Enterprise Linux Server | =8.6 | |
| Red Hat Enterprise Linux Server Update Services for SAP Solutions | =8.6 | |
| All of | ||
| Red Hat Virtualization Host EUS | =4.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| All of | ||
| Red Hat CodeReady Linux Builder | ||
| Any of | ||
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux | =8.6 | |
| Red Hat Enterprise Linux Server EUS | =8.6 | |
| Red Hat Enterprise Linux for Power, little endian | =8.0 | |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =8.6 | |
| All of | ||
| NetApp H300S Firmware | ||
| NetApp H300S Firmware | ||
| All of | ||
| NetApp H500e Firmware | ||
| NetApp H500e Firmware | ||
| All of | ||
| NetApp H700S | ||
| NetApp H700S | ||
| All of | ||
| NetApp H300E | ||
| NetApp H300E Firmware | ||
| All of | ||
| NetApp H500S Firmware | ||
| NetApp H500e Firmware | ||
| All of | ||
| NetApp H700E | ||
| NetApp H700E | ||
| All of | ||
| NetApp H410S | ||
| NetApp H410S Firmware | ||
| All of | ||
| NetApp H410C | ||
| NetApp H410C Firmware | ||
| Debian Linux | =9.0 | |
| Debian Linux | =10.0 | |
| Oracle Communications Cloud Native Core Binding Support Function | =22.1.3 | |
| Red Hat Virtualization Host EUS | =4.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat CodeReady Linux Builder | ||
| Red Hat Enterprise Linux | =8.6 | |
| Red Hat Enterprise Linux Server EUS | =8.6 | |
| Red Hat Enterprise Linux for Power, little endian | =8.0 | |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =8.6 | |
| NetApp H300S Firmware | ||
| NetApp H300S Firmware | ||
| NetApp H500e Firmware | ||
| NetApp H500e Firmware | ||
| NetApp H700S | ||
| NetApp H700S | ||
| NetApp H300E | ||
| NetApp H300E Firmware | ||
| NetApp H500S Firmware | ||
| NetApp H500e Firmware | ||
| NetApp H700E | ||
| NetApp H700E | ||
| NetApp H410S | ||
| NetApp H410S Firmware | ||
| NetApp H410C | ||
| NetApp H410C Firmware | ||
| debian/linux | 5.10.223-1 5.10.234-1 6.1.129-1 6.1.128-1 6.12.20-1 6.12.21-1 |
Remedy
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-1011 https://nvd.nist.gov/vuln/detail/CVE-2022-1011 https://lore.kernel.org/lkml/20220414110839.241541230@linuxfoundation.org/
- https://bugzilla.redhat.com/show_bug.cgi?id=2064855
- https://access.redhat.com/errata/RHSA-2022:1975
- https://access.redhat.com/errata/RHSA-2022:1988
- https://access.redhat.com/security/cve/cve-2022-1011
- https://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git/commit/?h=for-next
- https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html
- https://www.debian.org/security/2022/dsa-5173
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://launchpad.net/bugs/cve/CVE-2022-1011
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2065331
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2082384
- https://access.redhat.com/errata/RHSA-2024:5259
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1011
- https://nvd.nist.gov/vuln/detail/CVE-2022-1011
- https://security-tracker.debian.org/tracker/CVE-2022-1011
- https://ubuntu.com/security/CVE-2022-1011
- https://git.kernel.org/linus/0c4bcfdecb1ac0967619ee7ff44871d93c08c909
Frequently Asked Questions
What is the severity of CVE-2022-1011?
CVE-2022-1011 is considered a medium severity vulnerability due to its potential to allow unauthorized access to sensitive files.
How do I fix CVE-2022-1011?
To remediate CVE-2022-1011, upgrade to the fixed versions of the Linux kernel as specified in the patches provided by your distribution.
What systems are affected by CVE-2022-1011?
CVE-2022-1011 affects specific versions of the Linux kernel including Red Hat kernel versions 4.18.0-372.9.1 and 5.16, among others.
What type of vulnerability is CVE-2022-1011?
CVE-2022-1011 is a use after free (UAF) vulnerability that can lead to information disclosure.
Who is impacted by CVE-2022-1011?
Unprivileged users who can mount FUSE filesystems on affected systems are at risk from CVE-2022-1011.
- collector/redhat-cve
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-1011
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/trending
- agent/source
- agent/author
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- collector/security-tracker-debian
- source/Debian
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- version/linux kernel/5.17
- version/linux kernel/5.17-rc1
- version/linux kernel/5.17-rc2
- version/linux kernel/5.17-rc3
- version/linux kernel/5.17-rc4
- version/linux kernel/5.17-rc7
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/34
- version/red hat fedora/35
- vendor/redhat
- canonical/red hat quarkus
- version/red hat quarkus/2.0
- canonical/red hat developer tools
- version/red hat developer tools/1.0
- canonical/red hat enterprise linux
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0
- canonical/red hat enterprise linux server eus
- version/red hat enterprise linux server eus/8.6
- canonical/red hat enterprise linux for ibm z systems
- version/red hat enterprise linux for ibm z systems/8.0
- canonical/red hat enterprise linux for ibm z systems (s390x)
- version/red hat enterprise linux for ibm z systems (s390x)/8.6
- canonical/red hat enterprise linux for power, little endian
- version/red hat enterprise linux for power, little endian/8.0
- canonical/red hat enterprise linux for power, little endian - extended update support
- version/red hat enterprise linux for power, little endian - extended update support/8.6
- canonical/red hat enterprise linux for real time
- version/red hat enterprise linux for real time/8
- canonical/red hat enterprise linux for real time for nfv
- version/red hat enterprise linux for real time for nfv/8
- version/red hat enterprise linux for real time for nfv/8.6
- version/red hat enterprise linux for real time/8.6
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/8.6
- canonical/red hat enterprise linux for sap applications for power, little endian - extended update support
- version/red hat enterprise linux for sap applications for power, little endian - extended update support/8.6
- canonical/red hat enterprise linux server update services for sap solutions
- version/red hat enterprise linux server update services for sap solutions/8.6
- canonical/red hat virtualization host eus
- version/red hat virtualization host eus/4.0
- canonical/red hat codeready linux builder
- version/red hat enterprise linux/8.6
- vendor/netapp
- canonical/netapp h300s firmware
- canonical/netapp h500e firmware
- canonical/netapp h700s
- canonical/netapp h300e
- canonical/netapp h300e firmware
- canonical/netapp h500s firmware
- canonical/netapp h700e
- canonical/netapp h410s
- canonical/netapp h410s firmware
- canonical/netapp h410c
- canonical/netapp h410c firmware
- vendor/debian
- canonical/debian linux
- version/debian linux/9.0
- version/debian linux/10.0
- vendor/oracle
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/22.1.3
- package-manager/debian