CVE-2021-46984
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/02/2024
Last modified:
06/12/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
kyber: fix out of bounds access when preempted<br />
<br />
__blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and<br />
passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx<br />
for the current CPU again and uses that to get the corresponding Kyber<br />
context in the passed hctx. However, the thread may be preempted between<br />
the two calls to blk_mq_get_ctx(), and the ctx returned the second time<br />
may no longer correspond to the passed hctx. This "works" accidentally<br />
most of the time, but it can cause us to read garbage if the second ctx<br />
came from an hctx with more ctx&#39;s than the first one (i.e., if<br />
ctx->index_hw[hctx->type] > hctx->nr_ctx).<br />
<br />
This manifested as this UBSAN array index out of bounds error reported<br />
by Jakub:<br />
<br />
UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9<br />
index 13106 is out of range for type &#39;long unsigned int [128]&#39;<br />
Call Trace:<br />
dump_stack+0xa4/0xe5<br />
ubsan_epilogue+0x5/0x40<br />
__ubsan_handle_out_of_bounds.cold.13+0x2a/0x34<br />
queued_spin_lock_slowpath+0x476/0x480<br />
do_raw_spin_lock+0x1c2/0x1d0<br />
kyber_bio_merge+0x112/0x180<br />
blk_mq_submit_bio+0x1f5/0x1100<br />
submit_bio_noacct+0x7b0/0x870<br />
submit_bio+0xc2/0x3a0<br />
btrfs_map_bio+0x4f0/0x9d0<br />
btrfs_submit_data_bio+0x24e/0x310<br />
submit_one_bio+0x7f/0xb0<br />
submit_extent_page+0xc4/0x440<br />
__extent_writepage_io+0x2b8/0x5e0<br />
__extent_writepage+0x28d/0x6e0<br />
extent_write_cache_pages+0x4d7/0x7a0<br />
extent_writepages+0xa2/0x110<br />
do_writepages+0x8f/0x180<br />
__writeback_single_inode+0x99/0x7f0<br />
writeback_sb_inodes+0x34e/0x790<br />
__writeback_inodes_wb+0x9e/0x120<br />
wb_writeback+0x4d2/0x660<br />
wb_workfn+0x64d/0xa10<br />
process_one_work+0x53a/0xa80<br />
worker_thread+0x69/0x5b0<br />
kthread+0x20b/0x240<br />
ret_from_fork+0x1f/0x30<br />
<br />
Only Kyber uses the hctx, so fix it by passing the request_queue to<br />
->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can<br />
map the queues itself to avoid the mismatch.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.18 (including) | 5.4.120 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.38 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.11.22 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.12 (including) | 5.12.5 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0b6b4b90b74c27bea968c214d820ba4254b903a5
- https://git.kernel.org/stable/c/2ef3c76540c49167a0bc3d5f80d00fd1fc4586df
- https://git.kernel.org/stable/c/54dbe2d2c1fcabf650c7a8b747601da355cd7f9f
- https://git.kernel.org/stable/c/a287cd84e047045f5a4d4da793414e848de627c6
- https://git.kernel.org/stable/c/efed9a3337e341bd0989161b97453b52567bc59d
- https://git.kernel.org/stable/c/0b6b4b90b74c27bea968c214d820ba4254b903a5
- https://git.kernel.org/stable/c/2ef3c76540c49167a0bc3d5f80d00fd1fc4586df
- https://git.kernel.org/stable/c/54dbe2d2c1fcabf650c7a8b747601da355cd7f9f
- https://git.kernel.org/stable/c/a287cd84e047045f5a4d4da793414e848de627c6
- https://git.kernel.org/stable/c/efed9a3337e341bd0989161b97453b52567bc59d