CVE-2023-54316
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
refscale: Fix uninitalized use of wait_queue_head_t
Running the refscale test occasionally crashes the kernel with the following error:
[ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8 [ 8569.952900] #PF: supervisor read access in kernel mode [ 8569.952902] #PF: error_code(0x0000) - not-present page [ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0 [ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI [ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021 [ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190 : [ 8569.952940] Call Trace: [ 8569.952941] <TASK> [ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale] [ 8569.952959] kthread+0x10e/0x130 [ 8569.952966] ret_from_fork+0x1f/0x30 [ 8569.952973] </TASK>
The likely cause is that init_waitqueue_head() is called after the call to the torture_create_kthread() function that creates the ref_scale_reader kthread. Although this init_waitqueue_head() call will very likely complete before this kthread is created and starts running, it is possible that the calling kthread will be delayed between the calls to torture_create_kthread() and init_waitqueue_head(). In this case, the new kthread will use the waitqueue head before it is properly initialized, which is not good for the kernel's health and well-being.
The above crash happened here:
static inline void __add_wait_queue(...)
{
:
if (!(wq->flags & WQ_FLAG_PRIORITY)) <=== Crash here
The offset of flags from list_head entry in wait_queue_entry is -0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task structure is zero initialized, the instruction will try to access address 0xffffffffffffffe8, which is exactly the fault address listed above.
This commit therefore invokes init_waitqueue_head() before creating the kthread.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 653ed64b01dc5989f8f579d0038e987476c2c023 < 066fbd8bc981cf49923bf828b7b4092894df577f | affected |
| Linux | Linux | 653ed64b01dc5989f8f579d0038e987476c2c023 < ec9d118ad99dc6f1bc674c1e649c25533d89b9ba | affected |
| Linux | Linux | 653ed64b01dc5989f8f579d0038e987476c2c023 < e0322a255a2242dbe4686b6176b3c83dea490529 | affected |
| Linux | Linux | 653ed64b01dc5989f8f579d0038e987476c2c023 < e5de968a9032366198720eac4f368ed7e690b3ef | affected |
| Linux | Linux | 653ed64b01dc5989f8f579d0038e987476c2c023 < 70a2856fd1d0a040c876ba9e3f89b949ae92e4dd | affected |
| Linux | Linux | 653ed64b01dc5989f8f579d0038e987476c2c023 < f5063e8948dad7f31adb007284a5d5038ae31bb8 | affected |
| Linux | Linux | 5.9 | affected |
| Linux | Linux | 0 < 5.9 | unaffected |
| Linux | Linux | 5.10.195 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.132 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.53 <= 6.1.* | unaffected |
| Linux | Linux | 6.4.16 <= 6.4.* | unaffected |
| Linux | Linux | 6.5.3 <= 6.5.* | unaffected |
| Linux | Linux | 6.6 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/066fbd8bc981cf49923bf828b7b4092894df577f
- https://git.kernel.org/stable/c/ec9d118ad99dc6f1bc674c1e649c25533d89b9ba
- https://git.kernel.org/stable/c/e0322a255a2242dbe4686b6176b3c83dea490529
- https://git.kernel.org/stable/c/e5de968a9032366198720eac4f368ed7e690b3ef
- https://git.kernel.org/stable/c/70a2856fd1d0a040c876ba9e3f89b949ae92e4dd
- https://git.kernel.org/stable/c/f5063e8948dad7f31adb007284a5d5038ae31bb8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.