CVE-2024-50135 - Fixing Race Condition Between Reset and nvme_dev_disable() in Linux Kernel

In the Linux kernel, a vulnerability has been identified and resolved involving a race condition between the reset and nvme_dev_disable() functions. This vulnerability could lead to passing invalid values to the blk_mq_update_nr_hw_queues() function and result in unwanted consequences. In this post, we will discuss the details of the vulnerability, the bug fix, and provide a code snippet to illustrate the change.

Vulnerability Details

The vulnerability involves a race condition in the Linux kernel, specifically in the nvme-pci module. It is related to the modification of the dev->online_queues field by the nvme_dev_disable() function. If the nvme_pci_update_nr_queues() function does not properly coordinate with nvme_dev_disable(), it may cause invalid values to be passed to the blk_mq_update_nr_hw_queues() function. This issue was discovered by detecting a warning at the pci_irq_get_affinity() function in the kernel logs.

Exploit Details

The kernel logs indicate a CPU warning at drivers/pci/msi/api.c:347 when calling pci_irq_get_affinity(). The nvme-reset-wq workqueue is also involved, executing the nvme_reset_work() function at the same time. The call trace indicates that the issue occurs in the nvme_pci_map_queues() function.

Code Snippet

The bug fix involves locking the shutdown_lock mutex before using dev->online_queues and giving up if nvme_dev_disable() is running or has already been executed. The code snippet with the changes is provided below:

mutex_lock(&dev->shutdown_lock);
if (dev->ctrl.state != NVME_CTRL_LIVE) {
    mutex_unlock(&dev->shutdown_lock);
    return false;
}
new = dev->online_queues;
mutex_unlock(&dev->shutdown_lock);

Original References

1. Linux Kernel Source Code - nvme_pci_update_nr_queues(): https://elixir.bootlin.com/linux/latest/source/drivers/nvme/host/pci.c#L1771
2. Linux Kernel Source Code - nvme_dev_disable(): https://elixir.bootlin.com/linux/latest/source/drivers/nvme/host/pci.c#L987
3. Linux Kernel Documentation for nvme-pci: https://www.kernel.org/doc/html/latest/driver-api/nvme.html
4. Relevant Linux Kernel Mailing List Thread discussing the issue: https://lkml.org/lkml/2022/3/4/208

Conclusion

The vulnerability in the Linux kernel, specifically the nvme-pci module, has been resolved by fixing the race condition between the reset function and nvme_dev_disable(). It is advised to update the Linux kernel to the latest version to ensure your system is protected against potential exploits related to this vulnerability. Always keeping your kernel updated is a good practice to protect against any newly discovered vulnerabilities.

Timeline

Published on: 11/05/2024 18:15:16 UTC
Last modified on: 11/08/2024 14:34:11 UTC