CVE-2023-52630 in Linuxinfo

Summary

by MITRE • 04/02/2024

In the Linux kernel, the following vulnerability has been resolved:

blk-iocost: Fix an UBSAN shift-out-of-bounds warning

When iocg_kick_delay() is called from a CPU different than the one which set the delay, @now may be in the past of @iocg->delay_at leading to the following warning:

UBSAN: shift-out-of-bounds in block/blk-iocost.c:1359:23 shift exponent 18446744073709 is too large for 64-bit type 'u64' (aka 'unsigned long long') ... Call Trace: dump_stack_lvl+0x79/0xc0 __ubsan_handle_shift_out_of_bounds+0x2ab/0x300 iocg_kick_delay+0x222/0x230 ioc_rqos_merge+0x1d7/0x2c0 __rq_qos_merge+0x2c/0x80 bio_attempt_back_merge+0x83/0x190 blk_attempt_plug_merge+0x101/0x150 blk_mq_submit_bio+0x2b1/0x720 submit_bio_noacct_nocheck+0x320/0x3e0 __swap_writepage+0x2ab/0x9d0

The underflow itself doesn't really affect the behavior in any meaningful way; however, the past timestamp may exaggerate the delay amount calculated later in the code, which shouldn't be a material problem given the nature of the delay mechanism.

If @now is in the past, this CPU is racing another CPU which recently set up the delay and there's nothing this CPU can contribute w.r.t. the delay. Let's bail early from iocg_kick_delay() in such cases.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 01/06/2025

The vulnerability under discussion resides within the Linux kernel's block I/O cost control subsystem, specifically in the blk-iocost module. This issue manifests as a UBSAN (Undefined Behavior Sanitizer) shift-out-of-bounds warning that occurs during the execution of iocg_kick_delay() function. The root cause stems from a race condition scenario where this function is invoked from a CPU core that differs from the one responsible for establishing the delay state. When this happens, the timestamp comparison between the current time and the delay activation time results in an underflow condition, leading to an invalid shift operation on a 64-bit unsigned integer.

The technical flaw occurs at line 1359 in block/blk-iocost.c where the system attempts to perform a bit shift operation with an exponent that exceeds the valid range for a u64 data type. This particular underflow scenario arises when the now parameter represents a timestamp that falls chronologically before iocg->delay_at, indicating that the calling CPU has a clock that is behind the one that originally set the delay. The function call trace demonstrates how this issue propagates through the kernel's I/O subsystem, starting from iocg_kick_delay() and eventually reaching the UBSAN handler for shift-out-of-bounds errors.

This vulnerability operates within the context of the Linux kernel's I/O control mechanisms, specifically related to the blk-iocost module that manages I/O bandwidth allocation among different groups. The underlying problem relates to improper handling of time synchronization across multiple CPU cores and race conditions in concurrent access patterns. According to CWE-191, this represents an integer underflow condition that can lead to unpredictable behavior, while the ATT&CK framework would categorize this under T1059.006 for system call manipulation and potentially T1486 for potential denial of service through resource exhaustion.

The operational impact of this vulnerability is primarily characterized by false positive UBSAN warnings rather than functional system failures. While the actual behavior of the delay mechanism remains unaffected, the underflow condition could theoretically cause an exaggerated calculation of delay amounts in subsequent code paths. However, given the nature of the delay mechanism itself and its intended purpose as a soft limit rather than hard enforcement, this exaggeration does not represent a material problem to system stability or security. The vulnerability essentially represents a benign race condition that produces noise in debugging output without compromising system integrity.

The recommended mitigation strategy involves implementing an early exit from the iocg_kick_delay() function when the calling CPU's timestamp is determined to be chronologically prior to the delay activation timestamp. This approach addresses the root cause by preventing execution of the problematic shift operation when it would be invalid due to clock synchronization issues between CPUs. The solution aligns with defensive programming practices and ensures that only meaningful delay calculations are performed, while avoiding unnecessary computational overhead and false warnings in system monitoring tools. This fix maintains the intended functionality of the I/O cost control mechanism while eliminating the race condition that triggers the UBSAN warning.

Reservation

03/06/2024

Disclosure

04/02/2024

Moderation

revoked

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!