cve/published/2024/CVE-2024-41080.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-41080: io_uring: fix possible deadlock in io_register_iowq_max_workers()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 io_uring: fix possible deadlock in io_register_iowq_max_workers()

 The io_register_iowq_max_workers() function calls io_put_sq_data(),
 which acquires the sqd->lock without releasing the uring_lock.
 Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock
 before acquiring sqd->lock"), this can lead to a potential deadlock
 situation.

 To resolve this issue, the uring_lock is released before calling
 io_put_sq_data(), and then it is re-acquired after the function call.

 This change ensures that the locks are acquired in the correct
 order, preventing the possibility of a deadlock.

 The Linux kernel CVE team has assigned CVE-2024-41080 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 5.10.230 with commit b17397a0a5c56e111f61cb5b77d162664dc00de9
 	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 5.15.173 with commit 97ed7ff58de66c544692b3c2b988f3f594348de0
 	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.1.118 with commit fdacd09f2ddf7a00787291f08ee48c0421e5b709
 	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.6.62 with commit 950ac86cff338ab56e2eaf611f4936ee34893b63
 	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.9.11 with commit b571a367502c7ef94c688ef9c7f7d69a2ce3bcca
 	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.10 with commit 73254a297c2dd094abec7c9efee32455ae875bdf

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-41080
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	io_uring/register.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/b17397a0a5c56e111f61cb5b77d162664dc00de9
 	https://git.kernel.org/stable/c/97ed7ff58de66c544692b3c2b988f3f594348de0
 	https://git.kernel.org/stable/c/fdacd09f2ddf7a00787291f08ee48c0421e5b709
 	https://git.kernel.org/stable/c/950ac86cff338ab56e2eaf611f4936ee34893b63
 	https://git.kernel.org/stable/c/b571a367502c7ef94c688ef9c7f7d69a2ce3bcca
 	https://git.kernel.org/stable/c/73254a297c2dd094abec7c9efee32455ae875bdf
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-41080: io_uring: fix possible deadlock in io_register_iowq_max_workers()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	io_uring: fix possible deadlock in io_register_iowq_max_workers()

	The io_register_iowq_max_workers() function calls io_put_sq_data(),
	which acquires the sqd->lock without releasing the uring_lock.
	Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock
	before acquiring sqd->lock"), this can lead to a potential deadlock
	situation.

	To resolve this issue, the uring_lock is released before calling
	io_put_sq_data(), and then it is re-acquired after the function call.

	This change ensures that the locks are acquired in the correct
	order, preventing the possibility of a deadlock.

	The Linux kernel CVE team has assigned CVE-2024-41080 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 5.10.230 with commit b17397a0a5c56e111f61cb5b77d162664dc00de9
	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 5.15.173 with commit 97ed7ff58de66c544692b3c2b988f3f594348de0
	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.1.118 with commit fdacd09f2ddf7a00787291f08ee48c0421e5b709
	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.6.62 with commit 950ac86cff338ab56e2eaf611f4936ee34893b63
	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.9.11 with commit b571a367502c7ef94c688ef9c7f7d69a2ce3bcca
	Issue introduced in 5.1 with commit 2b188cc1bb857a9d4701ae59aa7768b5124e262e and fixed in 6.10 with commit 73254a297c2dd094abec7c9efee32455ae875bdf

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-41080
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	io_uring/register.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/b17397a0a5c56e111f61cb5b77d162664dc00de9
	https://git.kernel.org/stable/c/97ed7ff58de66c544692b3c2b988f3f594348de0
	https://git.kernel.org/stable/c/fdacd09f2ddf7a00787291f08ee48c0421e5b709
	https://git.kernel.org/stable/c/950ac86cff338ab56e2eaf611f4936ee34893b63
	https://git.kernel.org/stable/c/b571a367502c7ef94c688ef9c7f7d69a2ce3bcca
	https://git.kernel.org/stable/c/73254a297c2dd094abec7c9efee32455ae875bdf