Bug 1193107 - (CVE-2021-4023) VUL-0: CVE-2021-4023: kernel-source-azure,kernel-source-rt,kernel-source: kernel: Improper IO-uring request cancellation operation allows local users to cause a crash
(CVE-2021-4023)
VUL-0: CVE-2021-4023: kernel-source-azure,kernel-source-rt,kernel-source: ker...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/315872/
CVSSv3.1:SUSE:CVE-2021-4023:5.5:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-11-26 12:51 UTC by Thomas Leroy
Modified: 2021-11-29 09:25 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2021-11-26 12:51:26 UTC
rh#2026484

A flaw was found in the io-workqueue implementation in the Linux kernel. The kernel can panic when an improper cancellation operation triggers the submission of new io-uring operations during  a shortage of free space.   This allows a local user with permissions to execute io-uring requests to possible crash the system.

Statement:

Red Hat has not implemented io-uring in any shipping products however it appears to be enabled in the Fedora Project.

References:

https://git.kernel.dk/cgit/linux-block/commit/?h=io_uring-5.15&id=713b9825a4c47897f66ad69409581e7734a8728e
https://lkml.org/lkml/2021/9/8/64

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2026484
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4023
Comment 1 Thomas Leroy 2021-11-26 12:54:17 UTC
The commit [0] introducing the bug was introduced in v5.15, and has not been backported. Therefore I think none of the branches are affected.

[0]
https://git.kernel.dk/cgit/linux-block/commit/?h=io_uring-5.15&id=3146cba99aa28
Comment 2 Thomas Leroy 2021-11-26 13:14:09 UTC
I forgot to mention stable branch.
stable branch contains the vulnerable commit, but also the fixing commit.
Comment 3 Takashi Iwai 2021-11-26 14:39:37 UTC
Confirmed, no SLE branches are affected, but it's only in stable branch and already addressed.

Reassigned back to security team.
Comment 4 Thomas Leroy 2021-11-29 09:25:59 UTC
Thanks Takashi for confirming. Closing.