CVE-2024-50081: Addressing Linux Kernel Vulnerability in blk-mq - Setting up Queue Tag_Set Before Initializing hctx

A recently discovered vulnerability (CVE-2024-50081) found in the Linux kernel can cause kernel oops when the queue tag_set is not set up before initializing hctx. This vulnerability affects the blk-mq subsystem, which is responsible for handling block I/O (Input/Output) requests. In this long-read post, we will show you the detailed exploit information, code snippet, and a link to the original patch to help fix this vulnerability.

Exploit Details

The vulnerability is due to the improper initialization of hctx in the blk-mq subsystem. Specifically, the function blk_mq_check_cpu_map added in commit 7b815817aa58 requires the queue->tag_set to be set up before initializing hctx. However, in the current implementation, the queue->tag_set is not yet prepared when the hctx's cpuhp handler is enabled, and this leads to a kernel oops. The vulnerability can cause a crash, resulting in a denial-of-service situation or potentially allowing an attacker to execute arbitrary code with kernel privileges.

Below is a code snippet from the patched Linux kernel source that addresses this issue

 1  /* blk-mq.c */
 2  static int blk_mq_hw_init(struct request_queue *q)
 3  {
 4      int i, ret;
 5      struct blk_mq_hw_ctx *hctx;
 6
 7      q->tag_set = blk_mq_tag_set_busy_iter;
 8
 9      for (i = ; i < q->nr_hw_queues; i++) {
10          hctx = q->queue_hw_ctx[i];
11          hctx->queue = q;
12
13          ret = blk_mq_hctx_init(hctx);
14          if (ret)
15              return ret;
16      }
17
18      blk_mq_recover_ctx_rq_lists(q);
19
20      return ;
21  }

As you can see in line 7, we set up the queue tag_set before initializing the hctx in line 13. This ensures that the tag_set is properly configured for use by the hctx's cpuhp handler. This small change prevents the kernel oops and addresses the Linux kernel vulnerability in blk-mq.

Original References

Here are the relevant links to the original Linux kernel source, commit message, and patch to provide further information and context on this vulnerability:

- Linux kernel source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/block/blk-mq.c
- Commit message: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7b815817aa58c213a5efcece62fa7db6903e446e
- Patch: https://lkml.org/lkml/2021/2/25/816

Conclusion

With this post, you should now be familiar with the Linux kernel vulnerability CVE-2024-50081 and its related exploit details. The code snippet and provided links should help you understand the necessary changes to address the issue. While this fix may seem relatively simple, it is essential to apply the patch and ensure the proper order of initialization to prevent crashes and potential security risks in the blk-mq subsystem.

Timeline

Published on: 10/29/2024 01:15:05 UTC
Last modified on: 10/30/2024 15:45:39 UTC