CVE-2024-56584

Summary

In the Linux kernel, the following vulnerability has been resolved:

io_uring/tctx: work around xa_store() allocation error issue

syzbot triggered the following WARN_ON:

WARNING: CPU: 0 PID: 16 at io_uring/tctx.c:51 __io_uring_free+0xfa/0x140 io_uring/tctx.c:51

which is the

WARN_ON_ONCE(!xa_empty(&tctx->xa));

sanity check in __io_uring_free() when a io_uring_task is going through its final put. The syzbot test case includes injecting memory allocation failures, and it very much looks like xa_store() can fail one of its memory allocations and end up with ->head being non-NULL even though no entries exist in the xarray.

Until this issue gets sorted out, work around it by attempting to iterate entries in our xarray, and WARN_ON_ONCE() if one is found.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux2b188cc1bb857a9d4701ae59aa7768b5124e262e < e05c070b401f6365c503e2b59f091331965c4fb9affected
LinuxLinux2b188cc1bb857a9d4701ae59aa7768b5124e262e < 3a84fa784710990964c1e35df743851ab2863898affected
LinuxLinux2b188cc1bb857a9d4701ae59aa7768b5124e262e < 94ad56f61b873ffeebcc620d451eacfbdf9d40f0affected
LinuxLinux2b188cc1bb857a9d4701ae59aa7768b5124e262e < 42882b583095dcf747da6e3af1daeff40e27033eaffected
LinuxLinux2b188cc1bb857a9d4701ae59aa7768b5124e262e < d5b2ddf1f90c7248eff9630b95895c8950f2f36daffected
LinuxLinux2b188cc1bb857a9d4701ae59aa7768b5124e262e < 7eb75ce7527129d7f1fee6951566af409a37a1c4affected
LinuxLinux5.1affected
LinuxLinux0 < 5.1unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.120 <= 6.1.*unaffected
LinuxLinux6.6.66 <= 6.6.*unaffected
LinuxLinux6.12.5 <= 6.12.*unaffected
LinuxLinux6.13 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References