1227732 – (CVE-2024-39508) VUL-0: CVE-2024-39508: kernel: io_uring/io-wq: use set_bit() and test_bit() at worker->flags

Bug 1227732 (CVE-2024-39508) - VUL-0: CVE-2024-39508: kernel: io_uring/io-wq: use set_bit() and test_bit() at worker->flags

Summary: VUL-0: CVE-2024-39508: kernel: io_uring/io-wq: use set_bit() and test_bit() a...

Status:	NEW

Alias:	CVE-2024-39508

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Gabriel Krisman Bertazi
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/413823/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-39508:6.3:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-07-12 19:10 UTC by SMASH SMASH
Modified:	2024-07-15 16:49 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-07-12 19:10:05 UTC

In the Linux kernel, the following vulnerability has been resolved:

io_uring/io-wq: Use set_bit() and test_bit() at worker->flags

Utilize set_bit() and test_bit() on worker->flags within io_uring/io-wq
to address potential data races.

The structure io_worker->flags may be accessed through various data
paths, leading to concurrency issues. When KCSAN is enabled, it reveals
data races occurring in io_worker_handle_work and
io_wq_activate_free_worker functions.

	 BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker
	 write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28:
	 io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569)
	 io_wq_worker (io_uring/io-wq.c:?)
<snip>

	 read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5:
	 io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285)
	 io_wq_enqueue (io_uring/io-wq.c:947)
	 io_queue_iowq (io_uring/io_uring.c:524)
	 io_req_task_submit (io_uring/io_uring.c:1511)
	 io_handle_tw_list (io_uring/io_uring.c:1198)
<snip>

Line numbers against commit 18daea77cca6 ("Merge tag 'for-linus' of
git://git.kernel.org/pub/scm/virt/kvm/kvm").

These races involve writes and reads to the same memory location by
different tasks running on different CPUs. To mitigate this, refactor
the code to use atomic operations such as set_bit(), test_bit(), and
clear_bit() instead of basic "and" and "or" operations. This ensures
thread-safe manipulation of worker flags.

Also, move `create_index` to avoid holes in the structure.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39508
https://www.cve.org/CVERecord?id=CVE-2024-39508
https://git.kernel.org/stable/c/1cbb0affb15470a9621267fe0a8568007553a4bf
https://git.kernel.org/stable/c/8a565304927fbd28c9f028c492b5c1714002cbab
https://git.kernel.org/stable/c/ab702c3483db9046bab9f40306f1a28b22dbbdc0
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-39508.mbox