{
  "threat_severity" : "Moderate",
  "public_date" : "2025-02-26T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: mm/mempolicy: fix uninit-value in mpol_rebind_policy()",
    "id" : "2347961",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2347961"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-908",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmm/mempolicy: fix uninit-value in mpol_rebind_policy()\nmpol_set_nodemask()(mm/mempolicy.c) does not set up nodemask when\npol->mode is MPOL_LOCAL.  Check pol->mode before access\npol->w.cpuset_mems_allowed in mpol_rebind_policy()(mm/mempolicy.c).\nBUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:352 [inline]\nBUG: KMSAN: uninit-value in mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368\nmpol_rebind_policy mm/mempolicy.c:352 [inline]\nmpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368\ncpuset_change_task_nodemask kernel/cgroup/cpuset.c:1711 [inline]\ncpuset_attach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278\ncgroup_migrate_execute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515\ncgroup_migrate kernel/cgroup/cgroup.c:2771 [inline]\ncgroup_attach_task+0x540/0x8b0 kernel/cgroup/cgroup.c:2804\n__cgroup1_procs_write+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520\ncgroup1_tasks_write+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539\ncgroup_file_write+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852\nkernfs_fop_write_iter+0x66a/0x9f0 fs/kernfs/file.c:296\ncall_write_iter include/linux/fs.h:2162 [inline]\nnew_sync_write fs/read_write.c:503 [inline]\nvfs_write+0x1318/0x2030 fs/read_write.c:590\nksys_write+0x28b/0x510 fs/read_write.c:643\n__do_sys_write fs/read_write.c:655 [inline]\n__se_sys_write fs/read_write.c:652 [inline]\n__x64_sys_write+0xdb/0x120 fs/read_write.c:652\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nUninit was created at:\nslab_post_alloc_hook mm/slab.h:524 [inline]\nslab_alloc_node mm/slub.c:3251 [inline]\nslab_alloc mm/slub.c:3259 [inline]\nkmem_cache_alloc+0x902/0x11c0 mm/slub.c:3264\nmpol_new mm/mempolicy.c:293 [inline]\ndo_set_mempolicy+0x421/0xb70 mm/mempolicy.c:853\nkernel_set_mempolicy mm/mempolicy.c:1504 [inline]\n__do_sys_set_mempolicy mm/mempolicy.c:1510 [inline]\n__se_sys_set_mempolicy+0x44c/0xb60 mm/mempolicy.c:1507\n__x64_sys_set_mempolicy+0xd8/0x110 mm/mempolicy.c:1507\ndo_syscall_x64 arch/x86/entry/common.c:51 [inline]\ndo_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nKMSAN: uninit-value in mpol_rebind_task (2)\nhttps://syzkaller.appspot.com/bug?id=d6eb90f952c2a5de9ea718a1b873c55cb13b59dc\nThis patch seems to fix below bug too.\nKMSAN: uninit-value in mpol_rebind_mm (2)\nhttps://syzkaller.appspot.com/bug?id=f2fecd0d7013f54ec4162f60743a2b28df40926b\nThe uninit-value is pol->w.cpuset_mems_allowed in mpol_rebind_policy().\nWhen syzkaller reproducer runs to the beginning of mpol_new(),\nmpol_new() mm/mempolicy.c\ndo_mbind() mm/mempolicy.c\nkernel_mbind() mm/mempolicy.c\n`mode` is 1(MPOL_PREFERRED), nodes_empty(*nodes) is `true` and `flags`\nis 0. Then\nmode = MPOL_LOCAL;\n...\npolicy->mode = mode;\npolicy->flags = flags;\nwill be executed. So in mpol_set_nodemask(),\nmpol_set_nodemask() mm/mempolicy.c\ndo_mbind()\nkernel_mbind()\npol->mode is 4 (MPOL_LOCAL), that `nodemask` in `pol` is not initialized,\nwhich will be accessed in mpol_rebind_policy()." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49567\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49567\nhttps://lore.kernel.org/linux-cve-announce/2025022606-CVE-2022-49567-6118@gregkh/T" ],
  "name" : "CVE-2022-49567",
  "csaw" : false
}