On Fri, Jan 10, 2025 at 10:35 AM Vasiliy Kovalev <kovalev@xxxxxxxxxxxx> wrote:
>
> From: Gui-Dong Han <2045gemini@xxxxxxxxx>
>
> [ Upstream commit dfd2bf436709b2bccb78c2dda550dde93700efa7 ]
>
> In raid5_cache_count():
> if (conf->max_nr_stripes < conf->min_nr_stripes)
> return 0;
> return conf->max_nr_stripes - conf->min_nr_stripes;
> The current check is ineffective, as the values could change immediately
> after being checked.
>
> In raid5_set_cache_size():
> ...
> conf->min_nr_stripes = size;
> ...
> while (size > conf->max_nr_stripes)
> conf->min_nr_stripes = conf->max_nr_stripes;
> ...
>
> Due to intermediate value updates in raid5_set_cache_size(), concurrent
> execution of raid5_cache_count() and raid5_set_cache_size() may lead to
> inconsistent reads of conf->max_nr_stripes and conf->min_nr_stripes.
> The current checks are ineffective as values could change immediately
> after being checked, raising the risk of conf->min_nr_stripes exceeding
> conf->max_nr_stripes and potentially causing an integer overflow.
>
> This possible bug is found by an experimental static analysis tool
> developed by our team. This tool analyzes the locking APIs to extract
> function pairs that can be concurrently executed, and then analyzes the
> instructions in the paired functions to identify possible concurrency bugs
> including data races and atomicity violations. The above possible bug is
> reported when our tool analyzes the source code of Linux 6.2.
>
> To resolve this issue, it is suggested to introduce local variables
> 'min_stripes' and 'max_stripes' in raid5_cache_count() to ensure the
> values remain stable throughout the check. Adding locks in
> raid5_cache_count() fails to resolve atomicity violations, as
> raid5_set_cache_size() may hold intermediate values of
> conf->min_nr_stripes while unlocked. With this patch applied, our tool no
> longer reports the bug, with the kernel configuration allyesconfig for
> x86_64. Due to the lack of associated hardware, we cannot test the patch
> in runtime testing, and just verify it according to the code logic.
>
> Fixes: edbe83ab4c27 ("md/raid5: allow the stripe_cache to grow and shrink.")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Gui-Dong Han <2045gemini@xxxxxxxxx>
> Reviewed-by: Yu Kuai <yukuai3@xxxxxxxxxx>
> Signed-off-by: Song Liu <song@xxxxxxxxxx>
> Link: https://lore.kernel.org/r/20240112071017.16313-1-2045gemini@xxxxxxxxx
> Signed-off-by: Song Liu <song@xxxxxxxxxx>
> Signed-off-by: Vasiliy Kovalev <kovalev@xxxxxxxxxxxx>
> ---
> Backport to fix CVE-2024-23307
> Link: https://www.cve.org/CVERecord/?id=CVE-2024-23307
Looks good to me.
Thanks,
Song
[...]
