In the Linux kernel, the following vulnerability has been resolved: futex: Clear stale exiting pointer in futex_lock_pi() retry path Fuzzying/stressing futexes triggered: WARNING: kernel/futex/core.c:825 at wait_for_owner_exiting+0x7a/0x80, CPU#11: futex_lock_pi_s/524 When futex_lock_pi_atomic() sees the owner is exiting, it returns -EBUSY and stores a refcounted task pointer in 'exiting'. After wait_for_owner_exiting() consumes that reference, the local pointer is never reset to nil. Upon a retry, if futex_lock_pi_atomic() returns a different error, the bogus pointer is passed to wait_for_owner_exiting(). CPU0 CPU1 CPU2 futex_lock_pi(uaddr) // acquires the PI futex exit() futex_cleanup_begin() futex_state = EXITING; futex_lock_pi(uaddr) futex_lock_pi_atomic() attach_to_pi_owner() // observes EXITING *exiting = owner; // takes ref return -EBUSY wait_for_owner_exiting(-EBUSY, owner) put_task_struct(); // drops ref // exiting still points to owner goto retry; futex_lock_pi_atomic() lock_pi_update_atomic() cmpxchg(uaddr) *uaddr ^= WAITERS // whatever // value changed return -EAGAIN; wait_for_owner_exiting(-EAGAIN, exiting) // stale WARN_ON_ONCE(exiting) Fix this by resetting upon retry, essentially aligning it with requeue_pi.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
NVD-CWE-noinfo
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b4032a340> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b4032b600> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b4032bf00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bcbbf5d40> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bcbbf5780> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bcbbf7180> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bcbbf6280> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b4032b480> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd8a5740> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bcbbf4a40> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b40328380> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b4032b080> | Operating System |
| linux | linux_kernel | 5.5 | <built-in method update of dict object at 0x702c04787e40> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bcbbf6980> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b4032b3c0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd8a6140> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b4032b640> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b40329940> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b4032ae40> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bde4f1840> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:5.5:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |