CVE-2022-2585 - Linux kernel POSIX CPU timer UAF

[Thadeu Lima de Souza Cascardo <cascardo () canonical com>]

CVE-2022-2585 - Linux kernel POSIX CPU timer UAF

It was discovered that when exec'ing from a non-leader thread, armed POSIX
CPU timers would be left on a list but freed, leading to a use-after-free.

An independent security researcher working with SSD Secure Disclosure
discovered that this vulnerability could be exploited for Local Privilege
Escalation.

This bug was introduced by commit 55e8c8eb2c7b ("posix-cpu-timers: Store a
reference to a pid not a task"), which is present since v5.7-rc1.

This has been assigned CVE-2022-2585.

A PoC that will trigger KASAN is going to be posted in a week.

A fix has been sent to linux-kernel () vger kernel org and is at
https://lore.kernel.org/lkml/20220809170751.164716-1-cascardo () canonical com/T/#u.