CVE-2022-0480: 
Linux Kernel vulnerability analysis and mitigation

A flaw was found in the filelock_init in fs/locks.c function in the Linux kernel (CVE-2022-0480). This vulnerability was discovered in 2022 and affects Linux kernel systems. The issue can lead to host memory exhaustion due to memcg not limiting the number of Portable Operating System Interface (POSIX) file locks (NVD, Red Hat).

The vulnerability exists in the filelock_init function within fs/locks.c of the Linux kernel. The core issue is that the memory cgroup (memcg) does not properly limit the number of POSIX file locks, allowing unlimited allocation of small but long-living objects per each open file. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to host memory exhaustion, as attackers can create file locks for each open file and force the kernel to allocate unlimited small but long-living objects. This is particularly concerning in containerized environments where the host's memory can be depleted from inside a memcg-limited container (GitHub Issue).

A patch was initially developed to enable accounting for file lock caches by adding SLABACCOUNT to the kmemcachecreate calls for file locks. However, this patch was later reverted due to performance concerns. For containerized environments, a temporary mitigation involves disabling the '-o posixlock' option. The issue has been addressed in various Linux distributions through security updates (Red Hat, Ubuntu).