{ "threat_severity" : "Moderate", "public_date" : "2025-12-30T00:00:00Z", "bugzilla" : { "description" : "kernel: Linux kernel: Denial of Service via NULL pointer dereference in blk-cgroup", "id" : "2426240", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2426240" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-476", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nblk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init\nblk-iocost sometimes causes the following crash:\nBUG: kernel NULL pointer dereference, address: 00000000000000e0\n...\nRIP: 0010:_raw_spin_lock+0x17/0x30\nCode: be 01 02 00 00 e8 79 38 39 ff 31 d2 89 d0 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 65 ff 05 48 d0 34 7e b9 01 00 00 00 31 c0 0f b1 0f 75 02 5d c3 89 c6 e8 ea 04 00 00 5d c3 0f 1f 84 00 00\nRSP: 0018:ffffc900023b3d40 EFLAGS: 00010046\nRAX: 0000000000000000 RBX: 00000000000000e0 RCX: 0000000000000001\nRDX: ffffc900023b3d20 RSI: ffffc900023b3cf0 RDI: 00000000000000e0\nRBP: ffffc900023b3d40 R08: ffffc900023b3c10 R09: 0000000000000003\nR10: 0000000000000064 R11: 000000000000000a R12: ffff888102337000\nR13: fffffffffffffff2 R14: ffff88810af408c8 R15: ffff8881070c3600\nFS: 00007faaaf364fc0(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000000000e0 CR3: 00000001097b1000 CR4: 0000000000350ea0\nCall Trace:\n\nioc_weight_write+0x13d/0x410\ncgroup_file_write+0x7a/0x130\nkernfs_fop_write_iter+0xf5/0x170\nvfs_write+0x298/0x370\nksys_write+0x5f/0xb0\n__x64_sys_write+0x1b/0x20\ndo_syscall_64+0x3d/0x80\nentry_SYSCALL_64_after_hwframe+0x46/0xb0\nThis happens because iocg->ioc is NULL. The field is initialized by\nioc_pd_init() and never cleared. The NULL deref is caused by\nblkcg_activate_policy() installing blkg_policy_data before initializing it.\nblkcg_activate_policy() was doing the following:\n1. Allocate pd's for all existing blkg's and install them in blkg->pd[].\n2. Initialize all pd's.\n3. Online all pd's.\nblkcg_activate_policy() only grabs the queue_lock and may release and\nre-acquire the lock as allocation may need to sleep. ioc_weight_write()\ngrabs blkcg->lock and iterates all its blkg's. The two can race and if\nioc_weight_write() runs during #1 or between #1 and #2, it can encounter a\npd which is not initialized yet, leading to crash.\nThe crash can be reproduced with the following script:\n#!/bin/bash\necho +io > /sys/fs/cgroup/cgroup.subtree_control\nsystemd-run --unit touch-sda --scope dd if=/dev/sda of=/dev/null bs=1M count=1 iflag=direct\necho 100 > /sys/fs/cgroup/system.slice/io.weight\nbash -c \"echo '8:0 enable=1' > /sys/fs/cgroup/io.cost.qos\" &\nsleep .2\necho 100 > /sys/fs/cgroup/system.slice/io.weight\nwith the following patch applied:\n> diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c\n> index fc49be622e05..38d671d5e10c 100644\n> --- a/block/blk-cgroup.c\n> +++ b/block/blk-cgroup.c\n> @@ -1553,6 +1553,12 @@ int blkcg_activate_policy(struct gendisk *disk, const struct blkcg_policy *pol)\n> pd->online = false;\n> }\n>\n> + if (system_state == SYSTEM_RUNNING) {\n> + spin_unlock_irq(&q->queue_lock);\n> + ssleep(1);\n> + spin_lock_irq(&q->queue_lock);\n> + }\n> +\n> /* all allocated, init in the same order */\n> if (pol->pd_init_fn)\n> list_for_each_entry_reverse(blkg, &q->blkg_list, q_node)\nI don't see a reason why all pd's should be allocated, initialized and\nonlined together. The only ordering requirement is that parent blkgs to be\ninitialized and onlined before children, which is guaranteed from the\nwalking order. Let's fix the bug by allocating, initializing and onlining pd\nfor each blkg and holding blkcg->lock over initialization and onlining. This\nensures that an installed blkg is always fully initialized and onlined\nremoving the the race window.", "A flaw was found in the Linux kernel's block cgroup (blk-cgroup) component. A local attacker could exploit a race condition in the `blkcg_activate_policy()` function, where block group policy data (`blkg_policy_data`) is installed before it is fully initialized. This allows another function, `ioc_weight_write()`, to access uninitialized data, leading to a NULL pointer dereference and causing a system crash, resulting in a Denial of Service (DoS)." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-11-12T00:00:00Z", "advisory" : "RHSA-2024:9315", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-503.11.1.el9_5" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Under investigation", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-54271\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-54271\nhttps://lore.kernel.org/linux-cve-announce/2025123001-CVE-2023-54271-d75a@gregkh/T" ], "name" : "CVE-2023-54271", "csaw" : false }