[SRU,Lunar,0/2,Jammy,0/1] CVE-2023-46862

Message ID	20240122182411.15417-1-bethany.jamison@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Bethany Jamison <bethany.jamison@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][Lunar 0/2, Jammy 0/1] CVE-2023-46862 Date: Mon, 22 Jan 2024 13:24:08 -0500 Message-Id: <20240122182411.15417-1-bethany.jamison@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2023-46862 \| expand [SRU,Lunar,0/2,Jammy,0/1] CVE-2023-46862 [SRU,Lunar,1/2] io_uring/fdinfo: get rid of ref tryget [SRU,Lunar,2/2] io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid

Message ID

20240122182411.15417-1-bethany.jamison@canonical.com

Headers

From: Bethany Jamison <bethany.jamison@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Lunar 0/2, Jammy 0/1] CVE-2023-46862
Date: Mon, 22 Jan 2024 13:24:08 -0500
Message-Id: <20240122182411.15417-1-bethany.jamison@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2023-46862 | expand

Message

Bethany Jamison Jan. 22, 2024, 6:24 p.m. UTC

[Impact]

An issue was discovered in the Linux kernel through 6.5.9. During a 
race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo 
NULL pointer dereference can occur.

[Fix]

Lunar: Clean cherry-pick.
Jammy: Manual backport of original fix commit. The structure of 
io_uring in Jammy is different from  upstream, so I found where the
chunk of code had been moved to in Jammy and directly applied the
changes.

[Test Case]

Compile and boot test.

[Regression Potential]

Issues could occur during SQ thread exit races.

Jens Axboe (2):
  io_uring/fdinfo: get rid of ref tryget
  io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid

 io_uring/fdinfo.c | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

Comments

Jacob Martin Jan. 22, 2024, 7:34 p.m. UTC | #1

The backport note for the jammy patch should probably read:

(backported from commit ...)

The "manually" notation is not part of the typical format and seems to
already be indicated by your note underneath it.

Acked-by: Jacob Martin <jacob.martin@canonical.com>

On Mon, Jan 22, 2024 at 01:24:08PM -0500, Bethany Jamison wrote:
> [Impact]
> 
> An issue was discovered in the Linux kernel through 6.5.9. During a 
> race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo 
> NULL pointer dereference can occur.
> 
> [Fix]
> 
> Lunar: Clean cherry-pick.
> Jammy: Manual backport of original fix commit. The structure of 
> io_uring in Jammy is different from  upstream, so I found where the
> chunk of code had been moved to in Jammy and directly applied the
> changes.
> 
> [Test Case]
> 
> Compile and boot test.
> 
> [Regression Potential]
> 
> Issues could occur during SQ thread exit races.
> 
> Jens Axboe (2):
>   io_uring/fdinfo: get rid of ref tryget
>   io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid
> 
>  io_uring/fdinfo.c | 36 ++++++++++++++++++------------------
>  1 file changed, 18 insertions(+), 18 deletions(-)
> 
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Stefan Bader Jan. 23, 2024, 8:51 a.m. UTC | #2

On 22.01.24 19:24, Bethany Jamison wrote:
> [Impact]
> 
> An issue was discovered in the Linux kernel through 6.5.9. During a
> race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo
> NULL pointer dereference can occur.
> 
> [Fix]
> 
> Lunar: Clean cherry-pick.
> Jammy: Manual backport of original fix commit. The structure of
> io_uring in Jammy is different from  upstream, so I found where the
> chunk of code had been moved to in Jammy and directly applied the
> changes.
> 
> [Test Case]
> 
> Compile and boot test.
> 
> [Regression Potential]
> 
> Issues could occur during SQ thread exit races.
> 
> Jens Axboe (2):
>    io_uring/fdinfo: get rid of ref tryget
>    io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid
> 
>   io_uring/fdinfo.c | 36 ++++++++++++++++++------------------
>   1 file changed, 18 insertions(+), 18 deletions(-)
> 
Lunar goes EOL by Jan-25. There is no planned future update on it. For 
Jammy with emphasis on that "manually backported" must be amended when 
applying.

Acked-by: Stefan Bader <stefan.bader@canonical.com>

Thadeu Lima de Souza Cascardo Jan. 23, 2024, 10:22 a.m. UTC | #3

On Tue, Jan 23, 2024 at 09:51:14AM +0100, Stefan Bader wrote:
> On 22.01.24 19:24, Bethany Jamison wrote:
> > [Impact]
> > 
> > An issue was discovered in the Linux kernel through 6.5.9. During a
> > race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo
> > NULL pointer dereference can occur.
> > 
> > [Fix]
> > 
> > Lunar: Clean cherry-pick.
> > Jammy: Manual backport of original fix commit. The structure of
> > io_uring in Jammy is different from  upstream, so I found where the
> > chunk of code had been moved to in Jammy and directly applied the
> > changes.
> > 
> > [Test Case]
> > 
> > Compile and boot test.
> > 
> > [Regression Potential]
> > 
> > Issues could occur during SQ thread exit races.
> > 
> > Jens Axboe (2):
> >    io_uring/fdinfo: get rid of ref tryget
> >    io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid
> > 
> >   io_uring/fdinfo.c | 36 ++++++++++++++++++------------------
> >   1 file changed, 18 insertions(+), 18 deletions(-)
> > 
> Lunar goes EOL by Jan-25. There is no planned future update on it. For Jammy
> with emphasis on that "manually backported" must be amended when applying.
> 
> Acked-by: Stefan Bader <stefan.bader@canonical.com>
> 

I usually advise that CVE fixes are backported to major versions until they are
completely dead. And by that, I mean all kernels of that major version have
been superseded in -updates and -security. We have had relied on promises of
kernels being dead in the past, and that didn't work out well.

Cascardo.

Stefan Bader Jan. 24, 2024, 3:09 p.m. UTC | #4

On 22.01.24 19:24, Bethany Jamison wrote:
> [Impact]
> 
> An issue was discovered in the Linux kernel through 6.5.9. During a
> race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo
> NULL pointer dereference can occur.
> 
> [Fix]
> 
> Lunar: Clean cherry-pick.
> Jammy: Manual backport of original fix commit. The structure of
> io_uring in Jammy is different from  upstream, so I found where the
> chunk of code had been moved to in Jammy and directly applied the
> changes.
> 
> [Test Case]
> 
> Compile and boot test.
> 
> [Regression Potential]
> 
> Issues could occur during SQ thread exit races.
> 
> Jens Axboe (2):
>    io_uring/fdinfo: get rid of ref tryget
>    io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid
> 
>   io_uring/fdinfo.c | 36 ++++++++++++++++++------------------
>   1 file changed, 18 insertions(+), 18 deletions(-)
> 

Applied to jammy:linux/master-next and also to Lunar but do not expect a 
release. Thanks.

-Stefan