CVE-2021-46984

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-46984
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-46984.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-46984
Related
Published
2024-02-28T09:15:37Z
Modified
2024-09-11T02:00:06Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

kyber: fix out of bounds access when preempted

_blkmqschedbiomerge() gets the ctx and hctx for the current CPU and passes the hctx to ->biomerge(). kyberbiomerge() then gets the ctx for the current CPU again and uses that to get the corresponding Kyber context in the passed hctx. However, the thread may be preempted between the two calls to blkmqgetctx(), and the ctx returned the second time may no longer correspond to the passed hctx. This "works" accidentally most of the time, but it can cause us to read garbage if the second ctx came from an hctx with more ctx's than the first one (i.e., if ctx->indexhw[hctx->type] > hctx->nr_ctx).

This manifested as this UBSAN array index out of bounds error reported by Jakub:

UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9 index 13106 is out of range for type 'long unsigned int [128]' Call Trace: dumpstack+0xa4/0xe5 ubsanepilogue+0x5/0x40 _ubsanhandleoutofbounds.cold.13+0x2a/0x34 queuedspinlockslowpath+0x476/0x480 dorawspinlock+0x1c2/0x1d0 kyberbiomerge+0x112/0x180 blkmqsubmitbio+0x1f5/0x1100 submitbionoacct+0x7b0/0x870 submitbio+0xc2/0x3a0 btrfsmapbio+0x4f0/0x9d0 btrfssubmitdatabio+0x24e/0x310 submitonebio+0x7f/0xb0 submitextentpage+0xc4/0x440 _extentwritepageio+0x2b8/0x5e0 _extentwritepage+0x28d/0x6e0 extentwritecachepages+0x4d7/0x7a0 extentwritepages+0xa2/0x110 dowritepages+0x8f/0x180 _writebacksingleinode+0x99/0x7f0 writebacksbinodes+0x34e/0x790 _writebackinodeswb+0x9e/0x120 wbwriteback+0x4d2/0x660 wbworkfn+0x64d/0xa10 processonework+0x53a/0xa80 workerthread+0x69/0x5b0 kthread+0x20b/0x240 retfrom_fork+0x1f/0x30

Only Kyber uses the hctx, so fix it by passing the requestqueue to ->biomerge() instead. BFQ and mq-deadline just use that, and Kyber can map the queues itself to avoid the mismatch.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.38-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}