Bug 2265269 (CVE-2023-52437) - CVE-2023-52437 kernel: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
Summary: CVE-2023-52437 kernel: Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in rai...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-52437
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2265270
Blocks: 2265182
TreeView+ depends on / blocked
 
Reported: 2024-02-21 08:33 UTC by Avinash Hanwate
Modified: 2024-11-06 07:30 UTC (History)
50 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2024-02-25 10:51:23 UTC
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2024-02-21 08:33:28 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"

This reverts commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74.

That commit introduced the following race and can cause system hung.

 md_write_start:             raid5d:
 // mddev->in_sync == 1
 set "MD_SB_CHANGE_PENDING"
                            // running before md_write_start wakeup it
                             waiting "MD_SB_CHANGE_PENDING" cleared
                             >>>>>>>>> hung
 wakeup mddev->thread
 ...
 waiting "MD_SB_CHANGE_PENDING" cleared
 >>>> hung, raid5d should clear this flag
 but get hung by same flag.

The issue reverted commit fixing is fixed by last patch in a new way.

https://git.kernel.org/stable/c/84c39986fe6dd77aa15f08712339f5d4eb7dbe27
https://git.kernel.org/stable/c/bed0acf330b2c50c688f6d9cfbcac2aa57a8e613
https://git.kernel.org/stable/c/cfa46838285814c3a27faacf7357f0a65bb5d152
https://git.kernel.org/stable/c/e16a0bbdb7e590a6607b0d82915add738c03c069
https://git.kernel.org/stable/c/aab69ef769707ad987ff905d79e0bd6591812580
https://git.kernel.org/stable/c/0de40f76d567133b871cd6ad46bb87afbce46983
https://git.kernel.org/stable/c/87165c64fe1a98bbab7280c58df3c83be2c98478
https://git.kernel.org/stable/c/bed9e27baf52a09b7ba2a3714f1e24e17ced386d
Comment 1 Avinash Hanwate 2024-02-21 08:35:17 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2265270]
Comment 3 Paolo Bonzini 2024-02-21 11:40:20 UTC 
This CVE is bogus.  The revert was later reverted again on the stable branch because it themselves caused hangs.

I'm preparing the popcorn.
Comment 4 Wade Mealing 2024-02-21 12:11:25 UTC 
If it was an attempt at a fix, this means the CVE is not bogus, ie, it should not be disputed.

Instead this is an incomplete fix, and another CVE needs to be generated.
Comment 6 Paolo Bonzini 2024-02-21 13:36:23 UTC 
> If it was an attempt at a fix, this means the CVE is not bogus, ie, it should not be disputed.

According to https://lore.kernel.org/all/626f3f93-7085-7bd4-2172-3f97fcf197c9@huaweicloud.com/T/, this commit is just an "attempt to undo a suboptimal fix" that, as it turned out, had to be reverted.

The actual fix is in commit d6e035aad6c0 ("md: bypass block throttle for superblock update").

So there is a bug that is fixed by commit d6e035aad6c0.  I am not sure if it should be considered an instance of this CVE, or a CVE at all.
Comment 7 Justin M. Forbes 2024-02-21 22:52:24 UTC 
The fix is queued for 6.7.6, but yes, the revert landed in 6.6.13, and the revert was reverted in 6.6.14.  I will mark 6.7.6 as fixing this for Fedora when it lands.
Comment 9 Alex 2024-02-25 10:51:23 UTC 
CVE-2023-52437 rejected:
https://lore.kernel.org/linux-cve-announce/2024022249-trapping-doorstop-6f10@gregkh/T/#t
Note You need to log in before you can comment on or make changes to this bug.