From patchwork Fri Sep 27 06:37:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chengen Du X-Patchwork-Id: 1990141 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XFLPx1s6rz1xst for ; Fri, 27 Sep 2024 16:38:13 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1su4c8-0005Cb-Dd; Fri, 27 Sep 2024 06:38:04 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1su4c6-0005Br-6n for kernel-team@lists.ubuntu.com; Fri, 27 Sep 2024 06:38:02 +0000 Received: from mail-pf1-f198.google.com (mail-pf1-f198.google.com [209.85.210.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 8B2943F135 for ; Fri, 27 Sep 2024 06:38:01 +0000 (UTC) Received: by mail-pf1-f198.google.com with SMTP id d2e1a72fcca58-718db8e61bfso2444376b3a.0 for ; Thu, 26 Sep 2024 23:38:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727419080; x=1728023880; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=8u8/IPBlIKEPRc6qRRsG/WyU0G4hqeRN4hq9GaAssk0=; b=vSyZfQIVhmTzDFmTD3uhuYbhDb8bw1V/HE5ECu66178Jw0OmDBqg5qkGZNCTodXfzL EPU76LoNm7SvPmbnDnmwf8yMCcy9N5vEff2xPTsqbllhoLB6T+3xWOr8ygnEorogwI64 R+stFamOrTDZE4UX6tvzhqtjdkPm8WBt1DNFKYuYjlw5ZaNrd5ghbEOOjBEW8aXXs1gz T6xpH4ncnujp3jxXqwzOeRM6xf4vjOAniAHPGkRAHSx9gSulI0rsFG/Y79qliVqV8muR P8ZROReQ3YBtQ1C9DG6wZ/gMxxrTj8Lij76UL/kZGh7BT7uSgbjIMKRkOTY4fCdl9aUD 1o8w== X-Gm-Message-State: AOJu0YxtovPc06y0XqjsDgBKGLNl6G5fud4Oi4VEpae3l0synp50nRJt 4gwr9hxD1E6pm+g8mO67MCGAgtMqBBWLk1Kw3VMsMtFfWqHQgsdgsaX87DHtro1R9AsspsfRO8D wqZofzE9wM3KCo6lNoofMJPgrKQnLMOfl6apYH1D3eC917EbJE18lESCuJ4APIDOdlx0RY/TlGm zdHZ1C+LzNMXm+ X-Received: by 2002:a05:6a00:848:b0:714:1ca1:7134 with SMTP id d2e1a72fcca58-71b2604afafmr3879694b3a.18.1727419079677; Thu, 26 Sep 2024 23:37:59 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE8rzdSk9vjDhycocFTZclwD0FKv5mZlNaBUKHq7ISwhCsdd4oG24jrtQIkJXiRqnYQkHDeWQ== X-Received: by 2002:a05:6a00:848:b0:714:1ca1:7134 with SMTP id d2e1a72fcca58-71b2604afafmr3879654b3a.18.1727419079057; Thu, 26 Sep 2024 23:37:59 -0700 (PDT) Received: from chengendu.. (2001-b011-381c-11cc-d91b-fa79-21a5-98b6.dynamic-ip6.hinet.net. [2001:b011:381c:11cc:d91b:fa79:21a5:98b6]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71b2649c2bfsm894562b3a.28.2024.09.26.23.37.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Sep 2024 23:37:58 -0700 (PDT) From: Chengen Du To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 0/1] CVE-2023-21400 Date: Fri, 27 Sep 2024 14:37:50 +0800 Message-ID: <20240927063755.112103-1-chengen.du@canonical.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" CVE-2023-21400 BugLink: https://bugs.launchpad.net/bugs/2078659 SRU Justification: [Impact] io_commit_cqring() writes the CQ ring tail to make it visible and also triggers any deferred work. When a ring is set up with IOPOLL, it doesn't require locking around the CQ ring updates. However, if there is deferred work that needs processing, io_queue_deferred() assumes that the completion_lock is held. The io_uring subsystem does not properly handle locking for rings with IOPOLL, leading to a double-free vulnerability, which can be exploited as CVE-2023-21400. [Fix] There is a commit that fixed this issue. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb348857e7b67eefe365052f1423427b66dedbf3 There is no direct upstream commit for this issue, and the patch needs to be reworked to apply to version 5.4. [Test Plan] This is a timing issue that can be verified by testing the normal behavior. The test should cover the exact call path and ensure that no deadlock occurs. For the userspace program, you can implement it using the liburing library and choose the XFS filesystem, as it implements the iopoll function hook. The io_uring_params flag should be set to (IORING_SETUP_SQPOLL | IORING_SETUP_IOPOLL) and use O_DIRECT to open the XFS file for reading operations. The test should be executed multiple times to ensure that no deadlocks occur. [Where problems could occur] The problematic call path can be triggered under specific usage scenarios and only affects io_uring functionality. If the patch contains any issues, it may lead to a deadlock. Jens Axboe (1): io_uring: ensure IOPOLL locks around deferred work fs/io_uring.c | 4 ++++ 1 file changed, 4 insertions(+) Acked-by: Mehmet Basaran