CVE-2024-39508
Public on
Last Modified:
Description
The CVE Program describes this issue as:
In the Linux kernel, the following vulnerability has been resolved: io_uring/io-wq: Use set_bit() and test_bit() at worker->flags Utilize set_bit() and test_bit() on worker->flags within io_uring/io-wq to address potential data races. The structure io_worker->flags may be accessed through various data paths, leading to concurrency issues. When KCSAN is enabled, it reveals data races occurring in io_worker_handle_work and io_wq_activate_free_worker functions. BUG: KCSAN: data-race in io_worker_handle_work / io_wq_activate_free_worker write to 0xffff8885c4246404 of 4 bytes by task 49071 on cpu 28: io_worker_handle_work (io_uring/io-wq.c:434 io_uring/io-wq.c:569) io_wq_worker (io_uring/io-wq.c:?) <snip> read to 0xffff8885c4246404 of 4 bytes by task 49024 on cpu 5: io_wq_activate_free_worker (io_uring/io-wq.c:? io_uring/io-wq.c:285) io_wq_enqueue (io_uring/io-wq.c:947) io_queue_iowq (io_uring/io_uring.c:524) io_req_task_submit (io_uring/io_uring.c:1511) io_handle_tw_list (io_uring/io_uring.c:1198) <snip> Line numbers against commit 18daea77cca6 ("Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm"). These races involve writes and reads to the same memory location by different tasks running on different CPUs. To mitigate this, refactor the code to use atomic operations such as set_bit(), test_bit(), and clear_bit() instead of basic "and" and "or" operations. This ensures thread-safe manipulation of worker flags. Also, move `create_index` to avoid holes in the structure.
Mitigation
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Additional information
- Bugzilla 2297480: kernel: io_uring/io-wq: Use set_bit() and test_bit() at worker->flags
- (CWE-367|CWE-364): Time-of-check Time-of-use (TOCTOU) Race Condition or Signal Handler Race Condition
- FAQ: Frequently asked questions about CVE-2024-39508
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).
| Red Hat | NVD | |
|---|---|---|
CVSS v3 Base Score | 7 | N/A |
Attack Vector | Local | N/A |
Attack Complexity | High | N/A |
Privileges Required | Low | N/A |
User Interaction | None | N/A |
Scope | Unchanged | N/A |
Confidentiality Impact | High | N/A |
Integrity Impact | High | N/A |
Availability Impact | High | N/A |
CVSS v3 Vector
Red Hat: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Understanding the Weakness (CWE)
Integrity,Other
Technical Impact: Alter Execution Logic; Unexpected State
The attacker can gain access to otherwise unauthorized resources.
Integrity,Other
Technical Impact: Modify Application Data; Modify Files or Directories; Modify Memory; Other
Race conditions such as this kind may be employed to gain read or write access to resources which are not normally readable or writable by the user in question.
Integrity,Other
Technical Impact: Other
The resource in question, or other resources (through the corrupted one), may be changed in undesirable ways by a malicious user.
Non-Repudiation
Technical Impact: Hide Activities
If a file or other resource is written in this method, as opposed to in a valid way, logging of the activity may not occur.
Non-Repudiation,Other
Technical Impact: Other
In some cases it may be possible to delete files a malicious user might not otherwise have access to, such as log files.
Integrity,Confidentiality,Availability
Technical Impact: Modify Application Data; Modify Memory; DoS: Crash, Exit, or Restart; Execute Unauthorized Code or Commands
It may be possible to cause data corruption and possibly execute arbitrary code by modifying global variables or data structures at unexpected times, violating the assumptions of code that uses this global data.
Access Control
Technical Impact: Gain Privileges or Assume Identity
If a signal handler interrupts code that is executing with privileges, it may be possible that the signal handler will also be executed with elevated privileges, possibly making subsequent exploits more severe.
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
What can I do if my product is listed as "Will not fix"?
What can I do if my product is listed as "Fix deferred"?
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
Not sure what something means? Check out our Security Glossary.
Want to get errata notifications? Sign up here.
