deps: disable io_uring support in libuv by default

setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This potentially allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). Similar concerns apply to other functions that modify the process's user identity. This commit changes libuv's io_uring behavior from opt-out (through UV_USE_IO_URING=0) to opt-in (through UV_USE_IO_URING=1) until we figure out a better long-term solution. PR-URL: nodejs-private/node-private#529 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2024-22017
nodejs · Feb 13, 2024 · 686da19 · 686da19
1 parent f7b44bf
commit 686da19
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/deps/uv/src/unix/linux.c b/deps/uv/src/unix/linux.c
@@ -431,8 +431,9 @@ static int uv__use_io_uring(void) {
   use = atomic_load_explicit(&use_io_uring, memory_order_relaxed);
 
   if (use == 0) {
+    /* Disable io_uring by default due to CVE-2024-22017. */
     val = getenv("UV_USE_IO_URING");
-    use = val == NULL || atoi(val) ? 1 : -1;
+    use = val != NULL && atoi(val) ? 1 : -1;
     atomic_store_explicit(&use_io_uring, use, memory_order_relaxed);
   }
 

diff --git a/doc/api/cli.md b/doc/api/cli.md
@@ -2738,6 +2738,22 @@ threadpool by setting the `'UV_THREADPOOL_SIZE'` environment variable to a value
 greater than `4` (its current default value). For more information, see the
 [libuv threadpool documentation][].
 
+### `UV_USE_IO_URING=value`
+
+Enable or disable libuv's use of `io_uring` on supported platforms.
+
+On supported platforms, `io_uring` can significantly improve the performance of
+various asynchronous I/O operations.
+
+`io_uring` is disabled by default due to security concerns. When `io_uring`
+is enabled, applications must not change the user identity of the process at
+runtime, neither through JavaScript functions such as [`process.setuid()`][] nor
+through native addons that can invoke system functions such as [`setuid(2)`][].
+
+This environment variable is implemented by a dependency of Node.js and may be
+removed in future versions of Node.js. No stability guarantees are provided for
+the behavior of this environment variable.
+
 ## Useful V8 options
 
 V8 has its own set of CLI options. Any V8 CLI option that is provided to `node`
@@ -2839,6 +2855,8 @@ done
 [`dnsPromises.lookup()`]: dns.md#dnspromiseslookuphostname-options
 [`import` specifier]: esm.md#import-specifiers
 [`process.setUncaughtExceptionCaptureCallback()`]: process.md#processsetuncaughtexceptioncapturecallbackfn
+[`process.setuid()`]: process.md#processsetuidid
+[`setuid(2)`]: https://man7.org/linux/man-pages/man2/setuid.2.html
 [`tls.DEFAULT_MAX_VERSION`]: tls.md#tlsdefault_max_version
 [`tls.DEFAULT_MIN_VERSION`]: tls.md#tlsdefault_min_version
 [`unhandledRejection`]: process.md#event-unhandledrejection