Missing Synchronization Affecting kernel-tools-devel package, versions <0:4.14.268-205.500.amzn2


Severity

Recommended
high

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.04% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2-KERNELTOOLSDEVEL-7678915
  • published14 Aug 2024
  • disclosed20 Jun 2024

Introduced: 20 Jun 2024

CVE-2022-48760  (opens in a new tab)
CWE-820  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2 kernel-tools-devel to version 0:4.14.268-205.500.amzn2 or higher.
This issue was patched in ALAS2-2022-1761.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-tools-devel package and not the kernel-tools-devel package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

USB: core: Fix hang in usb_kill_urb by adding memory barriers

The syzbot fuzzer has identified a bug in which processes hang waiting for usb_kill_urb() to return. It turns out the issue is not unlinking the URB; that works just fine. Rather, the problem arises when the wakeup notification that the URB has completed is not received.

The reason is memory-access ordering on SMP systems. In outline form, usb_kill_urb() and __usb_hcd_giveback_urb() operating concurrently on different CPUs perform the following actions:

CPU 0 CPU 1


usb_kill_urb(): __usb_hcd_giveback_urb(): ... ... atomic_inc(&urb->reject); atomic_dec(&urb->use_count); ... ... wait_event(usb_kill_urb_queue, atomic_read(&urb->use_count) == 0); if (atomic_read(&urb->reject)) wake_up(&usb_kill_urb_queue);

Confining your attention to urb->reject and urb->use_count, you can see that the overall pattern of accesses on CPU 0 is:

write urb-&gt;reject, then read urb-&gt;use_count;

whereas the overall pattern of accesses on CPU 1 is:

write urb-&gt;use_count, then read urb-&gt;reject.

This pattern is referred to in memory-model circles as SB (for "Store Buffering"), and it is well known that without suitable enforcement of the desired order of accesses -- in the form of memory barriers -- it is entirely possible for one or both CPUs to execute their reads ahead of their writes. The end result will be that sometimes CPU 0 sees the old un-decremented value of urb->use_count while CPU 1 sees the old un-incremented value of urb->reject. Consequently CPU 0 ends up on the wait queue and never gets woken up, leading to the observed hang in usb_kill_urb().

The same pattern of accesses occurs in usb_poison_urb() and the failure pathway of usb_hcd_submit_urb().

The problem is fixed by adding suitable memory barriers. To provide proper memory-access ordering in the SB pattern, a full barrier is required on both CPUs. The atomic_inc() and atomic_dec() accesses themselves don't provide any memory ordering, but since they are present, we can use the optimized smp_mb__after_atomic() memory barrier in the various routines to obtain the desired effect.

This patch adds the necessary memory barriers.

CVSS Scores

version 3.1