Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:block: be a bit more careful in checking for NULL bdev while pollingWei reports a crash with an application using polled IO:PGD 14265e067 P4D 14265e067 PUD 47ec50067 PMD 0Oops: 0000 [#1] SMPCPU: 0 PID: 21915 Comm: iocore_0 Kdump: loaded Tainted: G S 5.12.0-0_fbk12_clang_7346_g1bb6f2e7058f #1Hardware name: Wiwynn Delta Lake MP T8/Delta Lake-Class2, BIOS Y3DLM08 04/10/2022RIP: 0010:bio_poll+0x25/0x200Code: 0f 1f 44 00 00 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 28 65 48 8b 04 25 28 00 00 00 48 89 44 24 20 48 8b 47 08 <48> 8b 80 70 02 00 00 4c 8b 70 50 8b 6f 34 31 db 83 fd ff 75 25 65RSP: 0018:ffffc90005fafdf8 EFLAGS: 00010292RAX: 0000000000000000 RBX: 0000000000000000 RCX: 74b43cd65dd66600RDX: 0000000000000003 RSI: ffffc90005fafe78 RDI: ffff8884b614e140RBP: ffff88849964df78 R08: 0000000000000000 R09: 0000000000000008R10: 0000000000000000 R11: 0000000000000000 R12: ffff88849964df00R13: ffffc90005fafe78 R14: ffff888137d3c378 R15: 0000000000000001FS: 00007fd195000640(0000) GS:ffff88903f400000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000000000000270 CR3: 0000000466121001 CR4: 00000000007706f0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400PKRU: 55555554Call Trace: iocb_bio_iopoll+0x1d/0x30 io_do_iopoll+0xac/0x250 __se_sys_io_uring_enter+0x3c5/0x5a0 ? __x64_sys_write+0x89/0xd0 do_syscall_64+0x2d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xaeRIP: 0033:0x94f225dCode: 24 cc 00 00 00 41 8b 84 24 d0 00 00 00 c1 e0 04 83 e0 10 41 09 c2 8b 33 8b 53 04 4c 8b 43 18 4c 63 4b 0c b8 aa 01 00 00 0f 05 <85> c0 0f 88 85 00 00 00 29 03 45 84 f6 0f 84 88 00 00 00 41 f6 c7RSP: 002b:00007fd194ffcd88 EFLAGS: 00000202 ORIG_RAX: 00000000000001aaRAX: ffffffffffffffda RBX: 00007fd194ffcdc0 RCX: 00000000094f225dRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007RBP: 00007fd194ffcdb0 R08: 0000000000000000 R09: 0000000000000008R10: 0000000000000001 R11: 0000000000000202 R12: 00007fd269d68030R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000which is due to bio->bi_bdev being NULL. This can happen if we have twotasks doing polled IO, and task B ends up completing IO from task A ifthey are sharing a poll queue. If task B completes the IO and puts thebio into our cache, then it can allocate that bio again before task Ais done polling for it. As that would necessitate a preempt between thetwo tasks, it's enough to just be a bit more careful in checking forwhether or not bio->bi_bdev is NULL.
No PoCs from references.
- https://github.com/fkie-cad/nvd-json-data-feeds