The kernel tree of CentOS Stream 9 suffers from multiple use-after-free conditions that were already patched in upstream stable trees.
a5f94e90c58a4d65e7349c5ac6abff2cbc680f758ae71b7d0bf35a8ec6642057
CentOS Stream 9: missing kernel security fixes
Someone reminded me last week that lots of enterprise Linux kernels are
not based on upstream stable trees. The most notable enterprise Linux
distro I'm aware of is RHEL (Red Hat Enterprise Linux), so I decided to
take a look at the kernel tree of CentOS Stream 9 - according to
<https://developers.redhat.com/products/rhel/contribute-to-rhel>
CentOS Stream is the closest freely available thing to RHEL.
The CentOS Stream 9 kernel
(<https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9>)
is based on the original upstream 5.14 release, so I decided to look
through for interesting commits in the linux-5.15.y stable tree and
check whether the same commits exist in the CentOS kernel tree.
One interesting candidate I found is
390031c94211 (\"coredump: Use the vma snapshot in fill_files_note\")
which fixes a locking bug that can lead to out-of-bounds writes,
but from what I can tell actually exploiting this would be a big pain
because unless you manage to race with the vulnerable code twice,
a memory write will happen approximately 4GiB out of bounds.
ebda44da44f6 (\"net: sched: fix race condition in qdisc_graft()\")
also looked maybe interesting.
9a2544037600 (\"ovl: fix use after free in struct ovl_aio_req\")
looks like a moderately nice bug, but I think it might only be
hittable on CentOS if an ext4 filesystem is mounted, although
https://access.redhat.com/articles/rhel-limits seems to imply
that ext4 is a supported filesystem on RHEL.
I am reporting this bug under our usual 90-day deadline this time because our
policy currently doesn't have anything stricter for cases where security fixes
aren't backported; we might change our treatment of this type of issue in the
future.
It would be good if upstream Linux and distributions like you could figure out
some kind of solution to keep your security fixes in sync, so that an attacker
who wants to quickly find a nice memory corruption bug in CentOS/RHEL can't
just find such bugs in the delta between upstream stable and your kernel.
(I realize there's probably a lot of history here.)
This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is 2023-03-19.
Related CVE Numbers: CVE-2023-1249,CVE-2023-0590,CVE-2023-1252.
Found by: jannh@google.com