416baaa9-dc9f-4396-8d5f-8c081fb06d67CVE-2021-47069CVE-2021-47069
In the Linux kernel, the following vulnerability has been resolved:
ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry
do_mq_timedreceive calls wq_sleep with a stack local address. The
sender (do_mq_timedsend) uses this address to later call pipelined_send.
This leads to a very hard to trigger race where a do_mq_timedreceive
call might return and leave do_mq_timedsend to rely on an invalid
address, causing the following crash:
RIP: 0010:wake_q_add_safe+0x13/0x60
Call Trace:
__x64_sys_mq_timedsend+0x2a9/0x490
do_syscall_64+0x80/0x680
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f5928e40343
The race occurs as:
-
do_mq_timedreceive calls wq_sleep with the address of
struct ext_wait_queueon function stack (aliased asewq_addrhere) - it
holds a validstruct ext_wait_queue *as long as the stack has not
been overwritten. -
ewq_addrgets added to info->e_wait_q[RECV].list in wq_add, and
do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call
__pipelined_op. -
Sender calls __pipelined_op::smp_store_release(&this->state,
STATE_READY). Here is where the race window begins. (thisis
ewq_addr.) -
If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it
will seestate == STATE_READYand break. -
do_mq_timedreceive returns, and
ewq_addris no longer guaranteed
to be astruct ext_wait_queue *since it was on do_mq_timedreceive’s
stack. (Although the address may not get overwritten until another
function happens to touch it, which means it can persist around for an
indefinite time.) -
do_mq_timedsend::__pipelined_op() still believes
ewq_addris a
struct ext_wait_queue *, and uses it to find a task_struct to pass to
the wake_q_add_safe call. In the lucky case where nothing has
overwrittenewq_addryet,ewq_addr->taskis the right task_struct.
In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a
bogus address as the receiver’s task_struct causing the crash.
do_mq_timedsend::__pipelined_op() should not dereference this after
setting STATE_READY, as the receiver counterpart is now free to return.
Change __pipelined_op to call wake_q_add_safe on the receiver’s
task_struct returned by get_task_struct, instead of dereferencing this
which sits on the receiver’s stack.
As Manfred pointed out, the race potentially also exists in
ipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix
those in the same way.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
CNA Affected
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"ipc/mqueue.c",
"ipc/msg.c",
"ipc/sem.c"
],
"versions": [
{
"version": "0d97a82ba830",
"lessThan": "4528c0c32308",
"status": "affected",
"versionType": "git"
},
{
"version": "0d97a82ba830",
"lessThan": "807fa14536b2",
"status": "affected",
"versionType": "git"
},
{
"version": "0d97a82ba830",
"lessThan": "a11ddb37bf36",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"ipc/mqueue.c",
"ipc/msg.c",
"ipc/sem.c"
],
"versions": [
{
"version": "5.6",
"status": "affected"
},
{
"version": "0",
"lessThan": "5.6",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.10.40",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.12.7",
"lessThanOrEqual": "5.12.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.13",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]Related
