Описание
In the Linux kernel, the following vulnerability has been resolved:
io_uring/sqpoll: fix sqpoll error handling races
BUG: KASAN: slab-use-after-free in __lock_acquire+0x370b/0x4a10 kernel/locking/lockdep.c:5089 Call Trace: ... _raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xb5/0x23c0 kernel/sched/core.c:4205 io_sq_thread_park+0xac/0xe0 io_uring/sqpoll.c:55 io_sq_thread_finish+0x6b/0x310 io_uring/sqpoll.c:96 io_sq_offload_create+0x162/0x11d0 io_uring/sqpoll.c:497 io_uring_create io_uring/io_uring.c:3724 [inline] io_uring_setup+0x1728/0x3230 io_uring/io_uring.c:3806 ...
Kun Hu reports that the SQPOLL creating error path has UAF, which happens if io_uring_alloc_task_context() fails and then io_sq_thread() manages to run and complete before the rest of error handling code, which means io_sq_thread_finish() is looking at already killed task.
Note that this is mostly the...
In the Linux kernel, the following vulnerability has been resolved:
io_uring/sqpoll: fix sqpoll error handling races
BUG: KASAN: slab-use-after-free in __lock_acquire+0x370b/0x4a10 kernel/locking/lockdep.c:5089 Call Trace: ... _raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xb5/0x23c0 kernel/sched/core.c:4205 io_sq_thread_park+0xac/0xe0 io_uring/sqpoll.c:55 io_sq_thread_finish+0x6b/0x310 io_uring/sqpoll.c:96 io_sq_offload_create+0x162/0x11d0 io_uring/sqpoll.c:497 io_uring_create io_uring/io_uring.c:3724 [inline] io_uring_setup+0x1728/0x3230 io_uring/io_uring.c:3806 ...
Kun Hu reports that the SQPOLL creating error path has UAF, which happens if io_uring_alloc_task_context() fails and then io_sq_thread() manages to run and complete before the rest of error handling code, which means io_sq_thread_finish() is looking at already killed task.
Note that this is mostly theoretical, requiring fault injection on the allocation side to trigger in practice.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2024-56762
- https://git.kernel.org/stable/c/6237331361711810d8f2e3fbfe2f7a6f9548f5e0
- https://git.kernel.org/stable/c/80120bb4eef7848d5aa3b1a0cd88367cd05fbe03
- https://git.kernel.org/stable/c/8e8494c83cf73168118587e9567e4f7e50ce4fd8
- https://git.kernel.org/stable/c/e33ac68e5e21ec1292490dfe061e75c0dbdd3bd4
CVE ID
Связанные уязвимости
[REJECTED CVE] A use-after-free (UAF) vulnerability was identified in the Linux kernel’s io_uring subsystem, specifically in SQPOLL error handling. If io_uring_alloc_task_context() fails while io_sq_thread() runs and completes before the error handling executes, io_sq_thread_finish() may attempt to access an already freed task, leading to potential system instability. While the issue is mostly theoretical and requires fault injection to trigger, could lead to crashes or unpredictable behavior.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.