CVE-2024-53052
Linux Kernel io_uring/freeze: Deadlock in RWSEM Handling
Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: fix missing NOWAIT check for O_DIRECT start write When io_uring starts a write, it'll call kiocb_start_write() to bump the super block rwsem, preventing any freezes from happening while that write is in-flight. The freeze side will grab that rwsem for writing, excluding any new writers from happening and waiting for existing writes to finish. But io_uring unconditionally uses kiocb_start_write(), which will block if someone is currently attempting to freeze the mount point. This causes a deadlock where freeze is waiting for previous writes to complete, but the previous writes cannot complete, as the task that is supposed to complete them is blocked waiting on starting a new write. This results in the following stuck trace showing that dependency with the write blocked starting a new write: task:fio state:D stack:0 pid:886 tgid:886 ppid:876 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_rwsem_wait+0x1e8/0x3f8 __percpu_down_read+0xe8/0x500 io_write+0xbb8/0xff8 io_issue_sqe+0x10c/0x1020 io_submit_sqes+0x614/0x2110 __arm64_sys_io_uring_enter+0x524/0x1038 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 INFO: task fsfreeze:7364 blocked for more than 15 seconds. Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963 with the attempting freezer stuck trying to grab the rwsem: task:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_down_write+0x2b0/0x680 freeze_super+0x248/0x8a8 do_vfs_ioctl+0x149c/0x1b18 __arm64_sys_ioctl+0xd0/0x1a0 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a blocking grab of the super block rwsem if it isn't set. For normal issue where IOCB_NOWAIT would always be set, this returns -EAGAIN which will have io_uring core issue a blocking attempt of the write. That will in turn also get completions run, ensuring forward progress. Since freezing requires CAP_SYS_ADMIN in the first place, this isn't something that can be triggered by a regular user.
INFO
Published Date :
Nov. 19, 2024, 6:15 p.m.
Last Modified :
Nov. 22, 2024, 5:08 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
3.6
Exploitability Score :
0.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-53052.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-53052 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-53052 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Nov. 22, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Added CWE NIST CWE-667 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 5.10.230 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.172 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.116 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.60 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.11.7 *cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:* Changed Reference Type https://git.kernel.org/stable/c/003d2996964c03dfd34860500428f4cdf1f5879e No Types Assigned https://git.kernel.org/stable/c/003d2996964c03dfd34860500428f4cdf1f5879e Patch Changed Reference Type https://git.kernel.org/stable/c/1d60d74e852647255bd8e76f5a22dc42531e4389 No Types Assigned https://git.kernel.org/stable/c/1d60d74e852647255bd8e76f5a22dc42531e4389 Patch Changed Reference Type https://git.kernel.org/stable/c/26b8c48f369b7591f5679e0b90612f4862a32929 No Types Assigned https://git.kernel.org/stable/c/26b8c48f369b7591f5679e0b90612f4862a32929 Patch Changed Reference Type https://git.kernel.org/stable/c/485d9232112b17f389b29497ff41b97b3189546b No Types Assigned https://git.kernel.org/stable/c/485d9232112b17f389b29497ff41b97b3189546b Patch Changed Reference Type https://git.kernel.org/stable/c/4e24041ba86d50aaa4c792ae2c88ed01b3d96243 No Types Assigned https://git.kernel.org/stable/c/4e24041ba86d50aaa4c792ae2c88ed01b3d96243 Patch Changed Reference Type https://git.kernel.org/stable/c/9e8debb8e51354b201db494689198078ec2c1e75 No Types Assigned https://git.kernel.org/stable/c/9e8debb8e51354b201db494689198078ec2c1e75 Patch -
CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Nov. 19, 2024
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: fix missing NOWAIT check for O_DIRECT start write When io_uring starts a write, it'll call kiocb_start_write() to bump the super block rwsem, preventing any freezes from happening while that write is in-flight. The freeze side will grab that rwsem for writing, excluding any new writers from happening and waiting for existing writes to finish. But io_uring unconditionally uses kiocb_start_write(), which will block if someone is currently attempting to freeze the mount point. This causes a deadlock where freeze is waiting for previous writes to complete, but the previous writes cannot complete, as the task that is supposed to complete them is blocked waiting on starting a new write. This results in the following stuck trace showing that dependency with the write blocked starting a new write: task:fio state:D stack:0 pid:886 tgid:886 ppid:876 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_rwsem_wait+0x1e8/0x3f8 __percpu_down_read+0xe8/0x500 io_write+0xbb8/0xff8 io_issue_sqe+0x10c/0x1020 io_submit_sqes+0x614/0x2110 __arm64_sys_io_uring_enter+0x524/0x1038 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 INFO: task fsfreeze:7364 blocked for more than 15 seconds. Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963 with the attempting freezer stuck trying to grab the rwsem: task:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_down_write+0x2b0/0x680 freeze_super+0x248/0x8a8 do_vfs_ioctl+0x149c/0x1b18 __arm64_sys_ioctl+0xd0/0x1a0 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a blocking grab of the super block rwsem if it isn't set. For normal issue where IOCB_NOWAIT would always be set, this returns -EAGAIN which will have io_uring core issue a blocking attempt of the write. That will in turn also get completions run, ensuring forward progress. Since freezing requires CAP_SYS_ADMIN in the first place, this isn't something that can be triggered by a regular user. Added Reference kernel.org https://git.kernel.org/stable/c/485d9232112b17f389b29497ff41b97b3189546b [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/4e24041ba86d50aaa4c792ae2c88ed01b3d96243 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/9e8debb8e51354b201db494689198078ec2c1e75 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/003d2996964c03dfd34860500428f4cdf1f5879e [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/26b8c48f369b7591f5679e0b90612f4862a32929 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/1d60d74e852647255bd8e76f5a22dc42531e4389 [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-53052 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-53052
weaknesses.