CVE-2021-47069: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry

First published: Fri Mar 01 2024(Updated: )

In the Linux kernel, the following vulnerability has been resolved: ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry do_mq_timedreceive calls wq_sleep with a stack local address. The sender (do_mq_timedsend) uses this address to later call pipelined_send. This leads to a very hard to trigger race where a do_mq_timedreceive call might return and leave do_mq_timedsend to rely on an invalid address, causing the following crash: RIP: 0010:wake_q_add_safe+0x13/0x60 Call Trace: __x64_sys_mq_timedsend+0x2a9/0x490 do_syscall_64+0x80/0x680 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f5928e40343 The race occurs as: 1. do_mq_timedreceive calls wq_sleep with the address of `struct ext_wait_queue` on function stack (aliased as `ewq_addr` here) - it holds a valid `struct ext_wait_queue *` as long as the stack has not been overwritten. 2. `ewq_addr` gets added to info->e_wait_q[RECV].list in wq_add, and do_mq_timedsend receives it via wq_get_first_waiter(info, RECV) to call __pipelined_op. 3. Sender calls __pipelined_op::smp_store_release(&this->state, STATE_READY). Here is where the race window begins. (`this` is `ewq_addr`.) 4. If the receiver wakes up now in do_mq_timedreceive::wq_sleep, it will see `state == STATE_READY` and break. 5. do_mq_timedreceive returns, and `ewq_addr` is no longer guaranteed to be a `struct ext_wait_queue *` since it was on do_mq_timedreceive's stack. (Although the address may not get overwritten until another function happens to touch it, which means it can persist around for an indefinite time.) 6. do_mq_timedsend::__pipelined_op() still believes `ewq_addr` is a `struct ext_wait_queue *`, and uses it to find a task_struct to pass to the wake_q_add_safe call. In the lucky case where nothing has overwritten `ewq_addr` yet, `ewq_addr->task` is the right task_struct. In the unlucky case, __pipelined_op::wake_q_add_safe gets handed a bogus address as the receiver's task_struct causing the crash. do_mq_timedsend::__pipelined_op() should not dereference `this` after setting STATE_READY, as the receiver counterpart is now free to return. Change __pipelined_op to call wake_q_add_safe on the receiver's task_struct returned by get_task_struct, instead of dereferencing `this` which sits on the receiver's stack. As Manfred pointed out, the race potentially also exists in ipc/msg.c::expunge_all and ipc/sem.c::wake_up_sem_queue_prepare. Fix those in the same way.

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/title
• agent/type
• agent/first-publish-date
• agent/author
• agent/description
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2021-47069
• collector/mitre-cve
• source/MITRE
• agent/remedy
• agent/weakness
• agent/severity
• collector/nvd-api
• source/NVD
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• agent/last-modified-date
• agent/references
• agent/source
• agent/softwarecombine
• agent/tags
• agent/event
• collector/ibm-support
• source/IBM
• vendor/linux
• canonical/linux kernel
• version/linux kernel/5.6
• version/linux kernel/5.11
• version/linux kernel/5.13-rc1
• version/linux kernel/5.13-rc2
• vendor/ibm
• canonical/ibm security verify governance - identity manager
• version/ibm security verify governance - identity manager/isvg 10.0.2
• canonical/ibm security verify governance, identity manager software stack
• version/ibm security verify governance, identity manager software stack/isvg 10.0.2
• canonical/ibm security verify governance, identity manager virtual appliance
• version/ibm security verify governance, identity manager virtual appliance/isvg 10.0.2
• canonical/ibm security verify governance identity manager container
• version/ibm security verify governance identity manager container/isvg 10.0.2