CVE-2024-56584 Information

Description

In the Linux kernel the following vulnerability has been resolved:

io_uring/tctx: work around xa_store() allocation error issue

syzbot triggered the following WARN_ON:

WARNING: CPU: 0 PID: 16 at io_uring/tctx.c:51 __io_uring_free+0xfa/0x140 io_uring/tctx.c:51

which is the

WARN_ON_ONCE(!xa_empty(&tctx->xa));

sanity check in __io_uring_free() when a io_uring_task is going through its final put. The syzbot test case includes injecting memory allocation failures and it very much looks like xa_store() can fail one of its memory allocations and end up with ->head being non-NULL even though no entries exist in the xarray.

Until this issue gets sorted out work around it by attempting to iterate entries in our xarray and WARN_ON_ONCE() if one is found.

Reference

https://git.kernel.org/stable/c/42882b583095dcf747da6e3af1daeff40e27033e https://git.kernel.org/stable/c/7eb75ce7527129d7f1fee6951566af409a37a1c4 https://git.kernel.org/stable/c/94ad56f61b873ffeebcc620d451eacfbdf9d40f0 https://git.kernel.org/stable/c/d5b2ddf1f90c7248eff9630b95895c8950f2f36d