CVE-2024-56709 - Linux Kernel io_uring Vulnerability Resolved: Check if iowq is Killed Before Queuing

A vulnerability within the Linux kernel has been identified and resolved, potentially impacting all Linux systems that utilize the io_uring asynchronous I/O system calls. The resolution specifically addresses the issue by checking if the internal IO workqueue (iowq) is killed before further queuing. Failure to do so could result in task work being executed after the termination of io_uring, which may cause undefined behavior, crashes, or even potential security risks.

Details of the Vulnerability (CVE-2024-56709)

Linux kernel developers discovered a vulnerability in the implementation of the asynchronous I/O system call subsystem, known as io_uring. Io_uring provides an interface that allows to perform I/O operations asynchronously, improving performance, and reducing the overhead caused by using blocking system calls.

The vulnerability occurs due to the fact that the kernel may execute task work after the io_uring termination process. When this happens, the kernel will find that the internal IO workqueue (iowq) has been killed and set to a null value, resulting in an undefined behavior, if the task work tries to forward the request to the io_queue_iowq() function.

The main issue stems from not checking whether the iowq has been killed before queuing additional operations.

The solution applied in the Linux kernel source code can be seen below

static int io_queue_iowq(struct io_kiocb *req, unsigned int sqe_flags)
{
	if (req->task->flags & PF_KTHREAD || req->task->io_wq == NULL)
		return -EOWNERDEAD;

	task_work_add(req->task, req, sqe_flags);
	return ;
}

This modification ensures that the io_queue_iowq() function checks whether the iowq is already null or the task has the PF_KTHREAD flag set, which would indicate that the task is already dead. If either condition is true, the function returns an error indicating that the task owner is dead.

Exploit

There hasn't been any reported active exploit based on this vulnerability. However, further details and the original references to this issue are given below:

- Kernel Git commit reference
- Linux Kernel Mailing List discussion

Impact and Resolution

Although there has not been any known exploit based on this vulnerability, it is crucial to patch your Linux kernel to avoid any potential risks. Linux users are advised to upgrade their kernel to the latest available version, which includes the patch for this vulnerability.

Linux distributions are expected to release updates for their kernels that incorporate this patch in the coming weeks. Users should look forward to applying these kernel updates to ensure their systems are protected from this vulnerability.

Linux kernel developers have resolved the issue by adding a check to io_queue_iowq() function to ensure that the iowq is already killed before additional operations are queued. This fix prevents the undefined behavior that could have resulted from attempting to forward a request to an already dead task in the io_queue_iowq() function.

Timeline

Published on: 12/29/2024 09:15:05 UTC
Last modified on: 01/20/2025 06:26:38 UTC