NACK/ Cmnt: [SRU][F][PATCH 0/1] CVE-2023-21400

Roxana Nicolescu roxana.nicolescu at canonical.com
Wed Oct 2 05:58:49 UTC 2024 

On 01/10/2024 18:48, Mehmet Basaran wrote:
> I don't know if this is an issue but I saw other patches stating the
> branch name for linux-<version>.y branches. We probably need to
> mention that in "backported from commit" line:
>
> (backported from commit fb348857e7b67eefe365052f1423427b66dedbf3 linux-5.15.y)
Good point, the commit is not part of the mainline tree. It even says so 
in the commit message.
Please resubmit.

>
> Chengen Du <chengen.du at canonical.com> writes:
>
>> CVE-2023-21400
>>
>> BugLink: https://bugs.launchpad.net/bugs/2078659
>>
>> SRU Justification:
>>
>> [Impact]
>> io_commit_cqring() writes the CQ ring tail to make it visible and also triggers any deferred work.
>> When a ring is set up with IOPOLL, it doesn't require locking around the CQ ring updates.
>> However, if there is deferred work that needs processing, io_queue_deferred() assumes that the completion_lock is held.
>> The io_uring subsystem does not properly handle locking for rings with IOPOLL, leading to a double-free vulnerability, which can be exploited as CVE-2023-21400.
>>
>> [Fix]
>> There is a commit that fixed this issue.
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb348857e7b67eefe365052f1423427b66dedbf3
>>
>> There is no direct upstream commit for this issue, and the patch needs to be reworked to apply to version 5.4.
>>
>> [Test Plan]
>> This is a timing issue that can be verified by testing the normal behavior.
>> The test should cover the exact call path and ensure that no deadlock occurs.
>> For the userspace program, you can implement it using the liburing library and choose the XFS filesystem, as it implements the iopoll function hook.
>> The io_uring_params flag should be set to (IORING_SETUP_SQPOLL | IORING_SETUP_IOPOLL) and use O_DIRECT to open the XFS file for reading operations.
>> The test should be executed multiple times to ensure that no deadlocks occur.
>>
>> [Where problems could occur]
>> The problematic call path can be triggered under specific usage scenarios and only affects io_uring functionality.
>> If the patch contains any issues, it may lead to a deadlock.
>>
>> Jens Axboe (1):
>>    io_uring: ensure IOPOLL locks around deferred work
>>
>>   fs/io_uring.c | 4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> --
>> 2.43.0
>>
>>
>> --
>> kernel-team mailing list
>> kernel-team at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>>

More information about the kernel-team mailing list