Skip to content

Commit

Permalink
deps: disable io_uring support in libuv by default
Browse files Browse the repository at this point in the history
setuid() does not affect libuv's internal io_uring operations if
initialized before the call to setuid(). This potentially allows the
process to perform privileged operations despite presumably having
dropped such privileges through a call to setuid(). Similar concerns
apply to other functions that modify the process's user identity.

This commit changes libuv's io_uring behavior from opt-out (through
UV_USE_IO_URING=0) to opt-in (through UV_USE_IO_URING=1) until we figure
out a better long-term solution.

PR-URL: nodejs-private/node-private#528
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2024-22017
  • Loading branch information
tniessen authored and RafaelGSS committed Feb 14, 2024
1 parent 03a5c34 commit 42e659c
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 2 deletions.
4 changes: 2 additions & 2 deletions deps/uv/src/unix/linux.c
Original file line number Diff line number Diff line change
Expand Up @@ -487,8 +487,8 @@ static int uv__use_io_uring(void) {
use = atomic_load_explicit(&use_io_uring, memory_order_relaxed);

if (use == 0) {
/* Older kernels have a bug where the sqpoll thread uses 100% CPU. */
use = uv__kernel_version() >= /* 5.10.186 */ 0x050ABA ? 1 : -1;
/* Disable io_uring by default due to CVE-2024-22017. */
use = -1;

/* But users can still enable it if they so desire. */
val = getenv("UV_USE_IO_URING");
Expand Down
18 changes: 18 additions & 0 deletions doc/api/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -2887,6 +2887,22 @@ threadpool by setting the `'UV_THREADPOOL_SIZE'` environment variable to a value
greater than `4` (its current default value). For more information, see the
[libuv threadpool documentation][].

### `UV_USE_IO_URING=value`

Enable or disable libuv's use of `io_uring` on supported platforms.

On supported platforms, `io_uring` can significantly improve the performance of
various asynchronous I/O operations.

`io_uring` is disabled by default due to security concerns. When `io_uring`
is enabled, applications must not change the user identity of the process at
runtime, neither through JavaScript functions such as [`process.setuid()`][] nor
through native addons that can invoke system functions such as [`setuid(2)`][].

This environment variable is implemented by a dependency of Node.js and may be
removed in future versions of Node.js. No stability guarantees are provided for
the behavior of this environment variable.

## Useful V8 options

V8 has its own set of CLI options. Any V8 CLI option that is provided to `node`
Expand Down Expand Up @@ -2991,6 +3007,8 @@ done
[`dnsPromises.lookup()`]: dns.md#dnspromiseslookuphostname-options
[`import` specifier]: esm.md#import-specifiers
[`process.setUncaughtExceptionCaptureCallback()`]: process.md#processsetuncaughtexceptioncapturecallbackfn
[`process.setuid()`]: process.md#processsetuidid
[`setuid(2)`]: https://man7.org/linux/man-pages/man2/setuid.2.html
[`tls.DEFAULT_MAX_VERSION`]: tls.md#tlsdefault_max_version
[`tls.DEFAULT_MIN_VERSION`]: tls.md#tlsdefault_min_version
[`unhandledRejection`]: process.md#event-unhandledrejection
Expand Down

0 comments on commit 42e659c

Please sign in to comment.