CVE-2022-48921 in Linuxinfo

Summary

by MITRE • 08/22/2024

In the Linux kernel, the following vulnerability has been resolved:

sched/fair: Fix fault in reweight_entity

Syzbot found a GPF in reweight_entity. This has been bisected to commit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an invalid sched_task_group")

There is a race between sched_post_fork() and setpriority(PRIO_PGRP) within a thread group that causes a null-ptr-deref in reweight_entity() in CFS. The scenario is that the main process spawns number of new threads, which then call setpriority(PRIO_PGRP, 0, -20), wait, and exit. For each of the new threads the copy_process() gets invoked, which adds the new task_struct and calls sched_post_fork() for it.

In the above scenario there is a possibility that setpriority(PRIO_PGRP) and set_one_prio() will be called for a thread in the group that is just being created by copy_process(), and for which the sched_post_fork() has not been executed yet. This will trigger a null pointer dereference in reweight_entity(), as it will try to access the run queue pointer, which hasn't been set.

Before the mentioned change the cfs_rq pointer for the task has been set in sched_fork(), which is called much earlier in copy_process(), before the new task is added to the thread_group. Now it is done in the sched_post_fork(), which is called after that. To fix the issue the remove the update_load param from the update_load param() function and call reweight_task() only if the task flag doesn't have the TASK_NEW flag set.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/11/2025

The vulnerability CVE-2022-48921 represents a critical race condition in the Linux kernel's Completely Fair Scheduler (CFS) implementation that manifests as a null pointer dereference in the reweight_entity() function. This flaw occurs within the scheduler's fairness subsystem where the kernel attempts to manage process priorities and scheduling weights. The issue was identified through systematic testing by syzbot, an automated fuzzer that systematically explores kernel code paths to discover security vulnerabilities. The vulnerability was traced back to a specific commit 4ef0c5c6b5ba that modified the scheduling fork behavior, introducing a timing window where concurrent operations could lead to memory access violations.

The technical root cause stems from a race condition between two critical kernel operations: sched_post_fork() and setpriority(PRIO_PGRP). During thread creation, when a parent process spawns new threads that immediately call setpriority() with PRIO_PGRP, there exists a window where the newly created task_struct has not yet completed its initialization in sched_post_fork() but the setpriority() operation attempts to modify scheduling parameters. This creates a scenario where reweight_entity() tries to access the cfs_rq pointer of a task that has not yet been properly linked to its run queue, resulting in a null pointer dereference. The vulnerability specifically affects the CFS scheduler's handling of task group scheduling and priority modifications, where the task's run queue pointer remains uninitialized during the critical execution window.

The operational impact of this vulnerability is significant as it can lead to kernel crashes and system instability when exploited. An attacker who can control thread creation and priority modification operations within a process group can trigger a general protection fault (GPF) that results in a kernel panic, effectively causing a denial of service condition. This vulnerability is particularly concerning because it operates at the kernel level with full system privileges, potentially allowing attackers to escalate privileges or cause system-wide disruptions. The attack vector requires careful coordination of thread creation and priority setting operations, making it suitable for exploitation in multi-threaded applications or malicious code that attempts to manipulate scheduling behavior.

The fix implemented addresses this race condition by modifying the task initialization sequence and conditional execution logic. The solution removes the update_load parameter from the update_load() function and introduces a conditional check that only calls reweight_task() when the task flag does not have the TASK_NEW flag set. This ensures that scheduling weight re-computation only occurs after a task has completed its full initialization process and has been properly linked to its scheduling run queue. This approach aligns with the principle of avoiding premature operations in concurrent systems and follows established patterns for handling race conditions in kernel scheduling code. The mitigation effectively prevents the null pointer dereference while maintaining the intended functionality of the scheduler's priority management mechanisms.

This vulnerability demonstrates characteristics consistent with CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and relates to ATT&CK technique T1068 (Exploitation for Privilege Escalation) when considering potential exploitation paths. The fix represents a proper synchronization approach that ensures proper initialization ordering and prevents access to uninitialized data structures, which is fundamental to maintaining kernel stability and security. The resolution maintains the intended behavior of the scheduler while eliminating the race condition that could be exploited to cause system crashes or potentially gain elevated privileges within the kernel execution environment.

Responsible

Linux

Reservation

08/21/2024

Disclosure

08/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00168

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!