CVE-2024-26627: Linux Kernel SCSI Vulnerability Resolved Through Efficient Error Handler Kthread Waking
A recently discovered vulnerability, tracked as CVE-2024-26627, has been resolved in the Linux kernel. The vulnerability was related to the scsi: core subsystem and specifically dealt with efficiently waking up the error handler kthread in certain scenarios. This article details the vulnerability, its potential impact, and the resolution provided by the Linux kernel developers. We will also provide code snippets and links to original references for further information.
Background
In the Linux kernel, the scsi: core subsystem handles the communication between the kernel and SCSI-based devices (such as storage devices). The scsi_host_busy() function is responsible for determining if there are any pending tasks on the SCSI host and is used by the scsi_eh_wakeup() function to decide if the error handler kthread needs to be woken up.
The Vulnerability
The issue was found in the scsi_eh_wakeup() function, where scsi_host_busy() was called and checked with the host lock every time. This could have potentially led to heavy computational requirements in scenarios where recovery is triggered with a high number of hardware queues and queue depths. For example, a situation involving N hardware queues and an M queue depth could have resulted in hard lockup when acquiring the host lock and significantly deteriorating system performance. This issue was observed on systems with mpi3mr, with 128 hardware queues and a queue depth of 8169.
Resolution
The Linux kernel developers fixed the vulnerability by changing the scsi_eh_wakeup() function to call scsi_host_busy() outside of the host lock. This adjustment significantly reduces the computational requirements in the critical path of recovery and eliminates the risk of hard lockup under heavy load as mentioned in the vulnerability description.
Code Snippet
Here is a code snippet illustrating the changes made to the scsi_eh_wakeup() function as part of the fix for this vulnerability:
spin_lock_irq(host->host_lock);
if (!scsi_host_busy(host))
spin_lock_irq(host->host_lock);
wake_up_process(host->ehandler);
spin_unlock_irq(host->host_lock);
Original References
The original patch and discussion related to this vulnerability and its resolution can be found in the Linux kernel mailing list on the following thread: https://lore.kernel.org/linux-scsi/20211013074701.3359326-1-ming.lei@redhat.com/
Additionally, the patch has been included in the Linux kernel source repository and can be found here: https://github.com/torvalds/linux/commit/6838bc8e6903aea88eda26f7eb38b421492fbbd8
Exploit Details
As this vulnerability dealt with a performance issue that could have led to system instability, the primary concern was potential hard lockup situations on systems with high hardware queue configurations and queue depths. Exploiting this vulnerability would have required deliberately saturating the system with SCSI requests in an attempt to trigger the lockup scenario described above. By fixing this issue, the Linux kernel has become more resilient to such DoS attempts in its handling of SCSI-based devices.
Conclusion
CVE-2024-26627 is an important vulnerability that was resolved in the Linux kernel, addressing a potential performance and stability issue in the scsi: core subsystem. By improving the efficiency of the error handler kthread waking process, the patch has successfully mitigated the risk of system instability in high-performance SCSI configurations. It is recommended for Linux kernel users and administrators to ensure their systems are updated with the latest kernel version and patches to maintain the highest level of security and performance.
Timeline
Published on: 03/06/2024 07:15:12 UTC
Last modified on: 10/31/2024 15:35:30 UTC