Bug 1195487 (CVE-2022-0480) - VUL-0: CVE-2022-0480: kernel-source-azure,kernel-source,kernel-source-rt: memcg does not limit the number of POSIX file locks allowing memory exhaustion
Summary: VUL-0: CVE-2022-0480: kernel-source-azure,kernel-source,kernel-source-rt: mem...
Status: RESOLVED WONTFIX
Alias: CVE-2022-0480
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/322419/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-0480:6.2:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-03 09:50 UTC by Carlos López
Modified: 2024-02-13 10:06 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-02-03 09:50:12 UTC 
rh#2049700

A flaw was found in the Linux kernel. A host memory exhaustion is possible because memcg does not limit the number of POSIX file locks.

References:
https://github.com/kata-containers/kata-containers/issues/3373
https://bugzilla.redhat.com/show_bug.cgi?id=2049700
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0480
Comment 1 Carlos López 2022-02-03 09:51:22 UTC 
There is no real fix for this issue. The supposed fix [0] was reverted due to a performance regression [1], and as far as I can tell, this was never addressed again.

cve/linux-4.4 and older branches do not contain the intended fix, and newer branches contain the revert, so no branches are left in the intermediate state.

[0] https://github.com/torvalds/linux/commit/0f12156dff2862ac54235fc72703f18770769042
[1] https://github.com/torvalds/linux/commit/3754707bcc3e190e5dadc978d172b61e809cb3bd
Comment 3 Michal Koutný 2022-02-03 10:50:30 UTC 
Carlos, we've gone through the all patch-revert dance in SLES kernels, ending up with the reverts. For this particular case, see also bug 1190115, comment 6.

Let me check if there's anything new [1] that could justify this change against performance impact.

[1] BTW the Launchad link [2] refernced from GH gives me kind of 404.
[2] https://bugs.launchpad.net/katacontainers.io/+bug/1956283
Comment 7 Michal Koutný 2022-05-23 16:17:58 UTC 
There's been no response to my reminder upstream.

In theory, this CVE bug could be rejected as invalid since there's no solution
in the upstream. Besides that I can see three options how to move the
underlying issue forward:
  1) attack security aspect,
  2) attack performance regression,
  3) find efficient solution.

The 1) and 2) are pushing against each other (and 2) against Linus too) so
that's bit of a stalemate.
No. 3) requires more involved analysis of the performance regression, that's my
direction now.

(In reply to Michal Koutný from comment #5)
> I'll post an update by two weeks.
That didn't work out well last time. Bumping my internal priority.
Comment 8 Michal Koutný 2022-05-27 17:24:01 UTC 
This bug has status of part security and part performance problem. The upstream prioritizes the performance conservation so there's no solution to the CVE currently.
I propose resolving this as wontifx from our PoV, i.e. I reassign the bug back to sec team _without_ submitting anything to our kernels.

FTR, I've filed an upstream BZ [1] entry to track the problem there.

[1] https://bugzilla.kernel.org/show_bug.cgi?id=216038
Comment 9 Carlos López 2022-05-30 15:49:36 UTC 
Closing as WONTFIX then. Feel free to reopen if there are any further developments upstream.