ghsa-6wf9-7vfw-cj9r
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
io_uring/sqpoll: fix sqpoll error handling races
BUG: KASAN: slab-use-after-free in __lock_acquire+0x370b/0x4a10 kernel/locking/lockdep.c:5089 Call Trace: ... _raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xb5/0x23c0 kernel/sched/core.c:4205 io_sq_thread_park+0xac/0xe0 io_uring/sqpoll.c:55 io_sq_thread_finish+0x6b/0x310 io_uring/sqpoll.c:96 io_sq_offload_create+0x162/0x11d0 io_uring/sqpoll.c:497 io_uring_create io_uring/io_uring.c:3724 [inline] io_uring_setup+0x1728/0x3230 io_uring/io_uring.c:3806 ...
Kun Hu reports that the SQPOLL creating error path has UAF, which happens if io_uring_alloc_task_context() fails and then io_sq_thread() manages to run and complete before the rest of error handling code, which means io_sq_thread_finish() is looking at already killed task.
Note that this is mostly theoretical, requiring fault injection on the allocation side to trigger in practice.
{
"affected": [],
"aliases": [
"CVE-2024-56762"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-06T17:15:41Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/sqpoll: fix sqpoll error handling races\n\nBUG: KASAN: slab-use-after-free in __lock_acquire+0x370b/0x4a10 kernel/locking/lockdep.c:5089\nCall Trace:\n\u003cTASK\u003e\n...\n_raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162\nclass_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]\ntry_to_wake_up+0xb5/0x23c0 kernel/sched/core.c:4205\nio_sq_thread_park+0xac/0xe0 io_uring/sqpoll.c:55\nio_sq_thread_finish+0x6b/0x310 io_uring/sqpoll.c:96\nio_sq_offload_create+0x162/0x11d0 io_uring/sqpoll.c:497\nio_uring_create io_uring/io_uring.c:3724 [inline]\nio_uring_setup+0x1728/0x3230 io_uring/io_uring.c:3806\n...\n\nKun Hu reports that the SQPOLL creating error path has UAF, which\nhappens if io_uring_alloc_task_context() fails and then io_sq_thread()\nmanages to run and complete before the rest of error handling code,\nwhich means io_sq_thread_finish() is looking at already killed task.\n\nNote that this is mostly theoretical, requiring fault injection on\nthe allocation side to trigger in practice.",
"id": "GHSA-6wf9-7vfw-cj9r",
"modified": "2025-01-06T18:31:04Z",
"published": "2025-01-06T18:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56762"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6237331361711810d8f2e3fbfe2f7a6f9548f5e0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/80120bb4eef7848d5aa3b1a0cd88367cd05fbe03"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8e8494c83cf73168118587e9567e4f7e50ce4fd8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e33ac68e5e21ec1292490dfe061e75c0dbdd3bd4"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.