Bug 1220154 (CVE-2023-52437) - VUL-0: CVE-2023-52437: kernel: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
Summary: VUL-0: CVE-2023-52437: kernel: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDIN...
Status: RESOLVED INVALID
Alias: CVE-2023-52437
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Coly Li
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/394648/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-21 14:08 UTC by SMASH SMASH
Modified: 2024-06-25 18:10 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-02-21 14:08:23 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"

This reverts commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74.

That commit introduced the following race and can cause system hung.

 md_write_start:             raid5d:
 // mddev->in_sync == 1
 set "MD_SB_CHANGE_PENDING"
                            // running before md_write_start wakeup it
                             waiting "MD_SB_CHANGE_PENDING" cleared
                             >>>>>>>>> hung
 wakeup mddev->thread
 ...
 waiting "MD_SB_CHANGE_PENDING" cleared
 >>>> hung, raid5d should clear this flag
 but get hung by same flag.

The issue reverted commit fixing is fixed by last patch in a new way.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52437
https://www.cve.org/CVERecord?id=CVE-2023-52437
https://git.kernel.org/stable/c/0de40f76d567133b871cd6ad46bb87afbce46983
https://git.kernel.org/stable/c/84c39986fe6dd77aa15f08712339f5d4eb7dbe27
https://git.kernel.org/stable/c/87165c64fe1a98bbab7280c58df3c83be2c98478
https://git.kernel.org/stable/c/aab69ef769707ad987ff905d79e0bd6591812580
https://git.kernel.org/stable/c/bed0acf330b2c50c688f6d9cfbcac2aa57a8e613
https://git.kernel.org/stable/c/bed9e27baf52a09b7ba2a3714f1e24e17ced386d
https://git.kernel.org/stable/c/cfa46838285814c3a27faacf7357f0a65bb5d152
https://git.kernel.org/stable/c/e16a0bbdb7e590a6607b0d82915add738c03c069
https://bugzilla.redhat.com/show_bug.cgi?id=2265269
Comment 2 Joey Lee 2024-02-23 05:51:09 UTC 
Hi Coly,

Because this is a issue for drivers/md/raid5. Could you please help to handle it?

If this is not in your area, just reset bug assigner to kernel-bugs@suse.de. Kernel Security Sentinel will find other expert.

Thanks a lot!
Comment 3 Coly Li 2024-02-23 09:51:19 UTC 
(In reply to Joey Lee from comment #2)
> Hi Coly,
> 
> Because this is a issue for drivers/md/raid5. Could you please help to
> handle it?

Copied, let me take this.

Thanks.

Coly Li
Comment 4 Coly Li 2024-02-26 03:38:17 UTC 
The original fixing patch was introduced in v6.1, and the regression patch intrudoced CVE in v6.8. So the fix will only go into SLE15-SP6 branch, and all other branches which have the regression patch.

Not necessary to submit to stable and CVE branches of kernel-source.
Comment 5 Coly Li 2024-02-26 03:55:22 UTC 
The fix commit d6e035aad6c0 ("md: bypass block throttle for superblock update") is submitted into SLE15-SP6 and SLE15-SP5.
Comment 6 Andrea Mattiazzo 2024-02-26 15:54:47 UTC 
The CVE was retired by kernel CNA, I think a new CVE issue will be created for the race condition created by commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74 when a proper patch will be pushed.

I close it since fixing will be handled in the future thread to avoid confusion.

[0] https://lore.kernel.org/linux-cve-announce/2024022249-trapping-doorstop-6f10@gregkh/T/#mf76dd4fc63101c099f878d50b9bac139d44aef3f