中危 io_uring:修复共享 sqpoll 取消挂起 (CVE-2021-46942)

CVE编号

CVE-2021-46942

利用情况

暂无

补丁情况

官方补丁

披露时间

2024-02-28
漏洞描述
In the Linux kernel, the following vulnerability has been resolved:

io_uring: fix shared sqpoll cancellation hangs

[ 736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds.
[ 736.982897] Call Trace:
[ 736.982901] schedule+0x68/0xe0
[ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110
[ 736.982908] io_sqpoll_cancel_cb+0x24/0x30
[ 736.982911] io_run_task_work_head+0x28/0x50
[ 736.982913] io_sq_thread+0x4e3/0x720

We call io_uring_cancel_sqpoll() one by one for each ctx either in
sq_thread() itself or via task works, and it's intended to cancel all
requests of a specified context. However the function uses per-task
counters to track the number of inflight requests, so it counts more
requests than available via currect io_uring ctx and goes to sleep for
them to appear (e.g. from IRQ), that will never happen.

Cancel a bit more than before, i.e. all ctxs that share sqpoll
and continue to use shared counters. Don't forget that we should not
remove ctx from the list before running that task_work sqpoll-cancel,
otherwise the function wouldn't be able to find the context and will
hang.
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://git.kernel.org/stable/c/734551df6f9bedfbefcd113ede665945e9de0b99
https://git.kernel.org/stable/c/cb5e0b3d0f993a6268c1a2c7ede2f9aa0c17ef68
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
系统 debian_10 linux * Up to
(excluding)
4.19.304-1
运行在以下环境
系统 debian_11 linux * Up to
(excluding)
5.10.209-2
运行在以下环境
系统 debian_12 linux * Up to
(excluding)
6.1.76-1
运行在以下环境
系统 linux linux_kernel * From
(including)
5.12.0 		Up to
(excluding)
5.12.3
阿里云评分
5.0
  • 攻击路径
    本地
  • 攻击复杂度
    困难
  • 权限要求
    管控权限
  • 影响范围
    有限影响
  • EXP成熟度
    未验证
  • 补丁情况
    官方补丁
  • 数据保密性
    无影响
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    N/A
CWE-ID 漏洞类型
NVD-CWE-noinfo
阿里云安全产品覆盖情况