ghsa-8px8-fjv5-9vgx
Vulnerability from github
Published
2025-06-18 12:30
Modified
2025-06-18 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

s390: fix double free of GS and RI CBs on fork() failure

The pointers for guarded storage and runtime instrumentation control blocks are stored in the thread_struct of the associated task. These pointers are initially copied on fork() via arch_dup_task_struct() and then cleared via copy_thread() before fork() returns. If fork() happens to fail after the initial task dup and before copy_thread(), the newly allocated task and associated thread_struct memory are freed via free_task() -> arch_release_task_struct(). This results in a double free of the guarded storage and runtime info structs because the fields in the failed task still refer to memory associated with the source task.

This problem can manifest as a BUG_ON() in set_freepointer() (with CONFIG_SLAB_FREELIST_HARDENED enabled) or KASAN splat (if enabled) when running trinity syscall fuzz tests on s390x. To avoid this problem, clear the associated pointer fields in arch_dup_task_struct() immediately after the new task is copied. Note that the RI flag is still cleared in copy_thread() because it resides in thread stack memory and that is where stack info is copied.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49990"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:26Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390: fix double free of GS and RI CBs on fork() failure\n\nThe pointers for guarded storage and runtime instrumentation control\nblocks are stored in the thread_struct of the associated task. These\npointers are initially copied on fork() via arch_dup_task_struct()\nand then cleared via copy_thread() before fork() returns. If fork()\nhappens to fail after the initial task dup and before copy_thread(),\nthe newly allocated task and associated thread_struct memory are\nfreed via free_task() -\u003e arch_release_task_struct(). This results in\na double free of the guarded storage and runtime info structs\nbecause the fields in the failed task still refer to memory\nassociated with the source task.\n\nThis problem can manifest as a BUG_ON() in set_freepointer() (with\nCONFIG_SLAB_FREELIST_HARDENED enabled) or KASAN splat (if enabled)\nwhen running trinity syscall fuzz tests on s390x. To avoid this\nproblem, clear the associated pointer fields in\narch_dup_task_struct() immediately after the new task is copied.\nNote that the RI flag is still cleared in copy_thread() because it\nresides in thread stack memory and that is where stack info is\ncopied.",
  "id": "GHSA-8px8-fjv5-9vgx",
  "modified": "2025-06-18T12:30:39Z",
  "published": "2025-06-18T12:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49990"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/13cccafe0edcd03bf1c841de8ab8a1c8e34f77d9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/25a95303b9e513cd2978aacc385d06e6fec23d07"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/297ae7e87a87a001dd3dfeac1cb26a42fd929708"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8195e065abf3df84eb0ad2987e76a40f21d1791c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cacd522e6652fbc2dc0cc6ae11c4e30782fef14b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fbdc482d43eda40a70de4b0155843d5472f6de62"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.