CVE-2024-43855

{"id": "CVE-2024-43855", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-08-17T10:15:10.527", "references": [{"url": "https://git.kernel.org/stable/c/2d0738a8322bf4e5bfe693d16b3111928a9ccfbf", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/32226070813140234b6c507084738e8e8385c5c6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/611d5cbc0b35a752e657a83eebadf40d814d006b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ca963eefbc3331222b6121baa696d49ba2008811", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix deadlock between mddev_suspend and flush bio\n\nDeadlock occurs when mddev is being suspended while some flush bio is in\nprogress. It is a complex issue.\n\nT1. the first flush is at the ending stage, it clears 'mddev->flush_bio'\n and tries to submit data, but is blocked because mddev is suspended\n by T4.\nT2. the second flush sets 'mddev->flush_bio', and attempts to queue\n md_submit_flush_data(), which is already running (T1) and won't\n execute again if on the same CPU as T1.\nT3. the third flush inc active_io and tries to flush, but is blocked because\n 'mddev->flush_bio' is not NULL (set by T2).\nT4. mddev_suspend() is called and waits for active_io dec to 0 which is inc\n by T3.\n\n T1\t\tT2\t\tT3\t\tT4\n (flush 1)\t(flush 2)\t(third 3)\t(suspend)\n md_submit_flush_data\n mddev->flush_bio = NULL;\n .\n .\t \tmd_flush_request\n .\t \t mddev->flush_bio = bio\n .\t \t queue submit_flushes\n .\t\t .\n .\t\t .\t\tmd_handle_request\n .\t\t .\t\t active_io + 1\n .\t\t .\t\t md_flush_request\n .\t\t .\t\t wait !mddev->flush_bio\n .\t\t .\n .\t\t .\t\t\t\tmddev_suspend\n .\t\t .\t\t\t\t wait !active_io\n .\t\t .\n .\t\t submit_flushes\n .\t\t queue_work md_submit_flush_data\n .\t\t //md_submit_flush_data is already running (T1)\n .\n md_handle_request\n wait resume\n\nThe root issue is non-atomic inc/dec of active_io during flush process.\nactive_io is dec before md_submit_flush_data is queued, and inc soon\nafter md_submit_flush_data() run.\n md_flush_request\n active_io + 1\n submit_flushes\n active_io - 1\n md_submit_flush_data\n md_handle_request\n active_io + 1\n make_request\n active_io - 1\n\nIf active_io is dec after md_handle_request() instead of within\nsubmit_flushes(), make_request() can be called directly intead of\nmd_handle_request() in md_submit_flush_data(), and active_io will\nonly inc and dec once in the whole flush process. Deadlock will be\nfixed.\n\nAdditionally, the only difference between fixing the issue and before is\nthat there is no return error handling of make_request(). But after\nprevious patch cleaned md_write_start(), make_requst() only return error\nin raid5_make_request() by dm-raid, see commit 41425f96d7aa (\"dm-raid456,\nmd/raid456: fix a deadlock for dm-raid456 while io concurrent with\nreshape)\". Since dm always splits data and flush operation into two\nseparate io, io size of flush submitted by dm always is 0, make_request()\nwill not be called in md_submit_flush_data(). To prevent future\nmodifications from introducing issues, add WARN_ON to ensure\nmake_request() no error is returned in this context."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: md: corrige el punto muerto entre mddev_suspend y purgar bio. El punto muerto ocurre cuando mddev se suspende mientras se realiza alg\u00fan purga de biograf\u00eda. Es una cuesti\u00f3n compleja. T1. la primera descarga est\u00e1 en la etapa final, borra 'mddev->flush_bio' e intenta enviar datos, pero se bloquea porque T4 suspende mddev. T2. la segunda descarga establece 'mddev->flush_bio' e intenta poner en cola md_submit_flush_data(), que ya se est\u00e1 ejecutando (T1) y no se ejecutar\u00e1 nuevamente si est\u00e1 en la misma CPU que T1. T3. el tercer enjuague incluye active_io e intenta descargar, pero se bloquea porque 'mddev->flush_bio' no es NULL (establecido por T2). T4. Se llama a mddev_suspend() y espera que active_io dec a 0, que es incrementado por T3. T1 T2 T3 T4 (flush 1) (flush 2) (tercero 3) (suspender) md_submit_flush_data mddev->flush_bio = NULL; . . md_flush_request. mddev->flush_bio = biograf\u00eda. cola submit_flushes . . . . md_handle_request. . activo_io + 1. . md_flush_request. . \u00a1espera! mddev->flush_bio. . . . mddev_suspend. . \u00a1espera! active_io. . . enviar_flushes. queue_work md_submit_flush_data. //md_submit_flush_data ya se est\u00e1 ejecutando (T1). md_handle_request espera reanudar la ra\u00edz del problema es el aumento/disminuci\u00f3n no at\u00f3mico de active_io durante el proceso de descarga. active_io disminuye antes de que md_submit_flush_data se ponga en cola y se inc poco despu\u00e9s de ejecutar md_submit_flush_data(). md_flush_request active_io + 1 submit_flushes active_io - 1 md_submit_flush_data md_handle_request active_io + 1 make_request active_io - 1 Si active_io se dec despu\u00e9s de md_handle_request() en lugar de dentro de submit_flushes(), se puede llamar a make_request() directamente en lugar de md_handle_request() en md_submit_flush_data(), y active_io solo aumentar\u00e1 y disminuir\u00e1 una vez durante todo el proceso de descarga. Se solucionar\u00e1 el punto muerto. Adem\u00e1s, la \u00fanica diferencia entre solucionar el problema y antes es que no hay manejo de errores de devoluci\u00f3n de make_request(). Pero despu\u00e9s de que el parche anterior limpi\u00f3 md_write_start(), make_requst() solo devuelve un error en raid5_make_request() por dm-raid, consulte el commit 41425f96d7aa (\"dm-raid456, md/raid456: solucione un punto muerto para dm-raid456 mientras io concurre con reshape) \". Dado que dm siempre divide los datos y la operaci\u00f3n de descarga en dos io separados, el tama\u00f1o de io de descarga enviado por dm siempre es 0, no se llamar\u00e1 a make_request() en md_submit_flush_data(). Para evitar que modificaciones futuras introduzcan problemas, agregue WARN_ON para garantizar que make_request() no se devuelva ning\u00fan error en este contexto."}], "lastModified": "2024-08-22T17:48:09.100", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C41F9D9-FD77-4351-9E80-31CDB3FB794F", "versionEndExcluding": "6.1.103"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC912330-6B41-4C6B-99AF-F3857FBACB6A", "versionEndExcluding": "6.6.44", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "92D388F2-1EAF-4CFA-AC06-5B26D762EA7D", "versionEndExcluding": "6.10.3", "versionStartIncluding": "6.7"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}