In the Linux kernel, the following vulnerability has been resolved: USB:
core: Make do_proc_control() and do_proc_bulk() killable The
USBDEVFS_CONTROL and USBDEVFS_BULK ioctls invoke usb_start_wait_urb(),
which contains an uninterruptible wait with a user-specified timeout value.
If timeout value is very large and the device being accessed does not
respond in a reasonable amount of time, the kernel will complain about
“Task X blocked for more than N seconds”, as found in testing by syzbot:
INFO: task syz-executor.0:8700 blocked for more than 143 seconds. Not
tainted 5.14.0-rc7-syzkaller #0 “echo 0 >
/proc/sys/kernel/hung_task_timeout_secs” disables this message.
task:syz-executor.0 state:D stack:23192 pid: 8700 ppid: 8455
flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:4681
[inline] __schedule+0xc07/0x11f0 kernel/sched/core.c:5938
schedule+0x14b/0x210 kernel/sched/core.c:6017 schedule_timeout+0x98/0x2f0
kernel/time/timer.c:1857 do_wait_for_common+0x2da/0x480
kernel/sched/completion.c:85 __wait_for_common
kernel/sched/completion.c:106 [inline] wait_for_common
kernel/sched/completion.c:117 [inline]
wait_for_completion_timeout+0x46/0x60 kernel/sched/completion.c:157
usb_start_wait_urb+0x167/0x550 drivers/usb/core/message.c:63
do_proc_bulk+0x978/0x1080 drivers/usb/core/devio.c:1236 proc_bulk
drivers/usb/core/devio.c:1273 [inline] usbdev_do_ioctl
drivers/usb/core/devio.c:2547 [inline] usbdev_ioctl+0x3441/0x6b10
drivers/usb/core/devio.c:2713 … To fix this problem, this patch replaces
usbfs’s calls to usb_control_msg() and usb_bulk_msg() with special-purpose
code that does essentially the same thing (as recommended in the comment
for usb_start_wait_urb()), except that it always uses a killable wait and
it uses GFP_KERNEL rather than GFP_NOIO.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-bluefield | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-gcp | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-gkeop | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-ibm | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-iot | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-kvm | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-oracle | < any | UNKNOWN |
git.kernel.org/linus/ae8709b296d80c7f45aa1f35c0e7659ad69edce1 (5.16-rc1)
git.kernel.org/stable/c/403716741c6c2c510dce44e88f085a740f535de6
git.kernel.org/stable/c/ae8709b296d80c7f45aa1f35c0e7659ad69edce1
launchpad.net/bugs/cve/CVE-2021-47582
nvd.nist.gov/vuln/detail/CVE-2021-47582
security-tracker.debian.org/tracker/CVE-2021-47582
www.cve.org/CVERecord?id=CVE-2021-47582