Linux is a family of open-source Unix-like operating systems based on the Linux kernel.

Linux Kernel

Debian GNU/Linux is a Linux distribution composed of free and open-source software.

Linux Debian

Ubuntu is a Linux distribution based on Debian, mostly composed of free and open-source software. Ubuntu is officially released in three editions: Desktop, Server, and Core for internet of things devices and robots. All the editions can run on the computer alone or in a virtual machine.

Linux Ubuntu

Red Hat Enterprise Linux is a Linux distribution developed by Red Hat for the commercial market.

Linux Red Hat

Linux openSUSE

In the Linux kernel, the following vulnerability has been resolved:

9p/trans_fd: always use O_NONBLOCK read/write

syzbot is reporting hung task at p9_fd_close() [1], for p9_mux_poll_stop()
 from p9_conn_destroy() from p9_fd_close() is failing to interrupt already
started kernel_read() from p9_fd_read() from p9_read_work() and/or
kernel_write() from p9_fd_write() from p9_write_work() requests.

Since p9_socket_open() sets O_NONBLOCK flag, p9_mux_poll_stop() does not
need to interrupt kernel_read()/kernel_write(). However, since p9_fd_open()
does not set O_NONBLOCK flag, but pipe blocks unless signal is pending,
p9_mux_poll_stop() needs to interrupt kernel_read()/kernel_write() when
the file descriptor refers to a pipe. In other words, pipe file descriptor
needs to be handled as if socket file descriptor.

We somehow need to interrupt kernel_read()/kernel_write() on pipes.

A minimal change, which this patch is doing, is to set O_NONBLOCK flag
 from p9_fd_open(), for O_NONBLOCK flag does not affect reading/writing
of regular files. But this approach changes O_NONBLOCK flag on userspace-
supplied file descriptors (which might break userspace programs), and
O_NONBLOCK flag could be changed by userspace. It would be possible to set
O_NONBLOCK flag every time p9_fd_read()/p9_fd_write() is invoked, but still
remains small race window for clearing O_NONBLOCK flag.

If we don't want to manipulate O_NONBLOCK flag, we might be able to
surround kernel_read()/kernel_write() with set_thread_flag(TIF_SIGPENDING)
and recalc_sigpending(). Since p9_read_work()/p9_write_work() works are
processed by kernel threads which process global system_wq workqueue,
signals could not be delivered from remote threads when p9_mux_poll_stop()
 from p9_conn_destroy() from p9_fd_close() is called. Therefore, calling
set_thread_flag(TIF_SIGPENDING)/recalc_sigpending() every time would be
needed if we count on signals for making kernel_read()/kernel_write()
non-blocking.

[Dominique: add comment at Christian's suggestion]

CVE-2022-49767:
Linux Kernel vulnerability analysis and mitigation

Overview

Technical details

Impact

Mitigation and workarounds

Additional resources

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud threat landscape

PEACH

Ready to see Wiz in action?

CVE-2022-49767: Linux Kernel vulnerability analysis and mitigation