CVE-2024-39508

2024-07-1213:15:13

Linux

web.nvd.nist.gov

674

linux kernel

data race

io_uring/io-wq

worker flags

kcsan

atomic operations

AI Score

6.7

Confidence

Low

EPSS

Percentile

15.9%

JSON

In the Linux kernel, the following vulnerability has been resolved:

io_uring/io-wq: Use set_bit() and test_bit() at worker->flags

Utilize set_bit() and test_bit() on worker->flags within io_uring/io-wq
to address potential data races.

The structure io_worker->flags may be accessed through various data
paths, leading to concurrency issues. When KCSAN is enabled, it reveals
data races occurring in io_worker_handle_work and
io_wq_activate_free_worker functions.

 BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker
 write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28:
 io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569)
 io_wq_worker (io_uring/io-wq.c:?)

<snip>

 read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5:
 io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285)
 io_wq_enqueue (io_uring/io-wq.c:947)
 io_queue_iowq (io_uring/io_uring.c:524)
 io_req_task_submit (io_uring/io_uring.c:1511)
 io_handle_tw_list (io_uring/io_uring.c:1198)

<snip>

Line numbers against commit 18daea77cca6 (“Merge tag ‘for-linus’ of
git://git.kernel.org/pub/scm/virt/kvm/kvm”).

These races involve writes and reads to the same memory location by
different tasks running on different CPUs. To mitigate this, refactor
the code to use atomic operations such as set_bit(), test_bit(), and
clear_bit() instead of basic “and” and “or” operations. This ensures
thread-safe manipulation of worker flags.

Also, move create_index to avoid holes in the structure.

Affected configurations

Vulners

Node

linuxlinux_kernelRange6.6.0–6.6.35

linuxlinux_kernelRange6.7.0–6.9.6

linuxlinux_kernelRange6.10.0≥

VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:a:linux:linux_kernel:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linux	linux_kernel	*	cpe:2.3:a:linux:linux_kernel::::::::

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "io_uring/io-wq.c"
    ],
    "versions": [
      {
        "version": "1da177e4c3f4",
        "lessThan": "ab702c3483db",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "1da177e4c3f4",
        "lessThan": "1cbb0affb154",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "1da177e4c3f4",
        "lessThan": "8a565304927f",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "io_uring/io-wq.c"
    ],
    "versions": [
      {
        "version": "6.6.35",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9.6",
        "lessThanOrEqual": "6.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]