deps: disable io_uring support in libuv by default

tniessen · marco-ippolito · commit 666096298c34 · 2024-02-13T15:26:52.000+01:00
setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This potentially allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). Similar concerns apply to other functions that modify the process's user identity. This commit changes libuv's io_uring behavior from opt-out (through UV_USE_IO_URING=0) to opt-in (through UV_USE_IO_URING=1) until we figure out a better long-term solution. PR-URL: nodejs-private/node-private#528 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2024-22017
diff --git a/deps/uv/src/unix/linux.c b/deps/uv/src/unix/linux.c
@@ -487,8 +487,8 @@ static int uv__use_io_uring(void) {
   use = atomic_load_explicit(&use_io_uring, memory_order_relaxed);
 
   if (use == 0) {
-    /* Older kernels have a bug where the sqpoll thread uses 100% CPU. */
-    use = uv__kernel_version() >= /* 5.10.186 */ 0x050ABA ? 1 : -1;
+    /* Disable io_uring by default due to CVE-2024-22017. */
+    use = -1;
 
     /* But users can still enable it if they so desire. */
     val = getenv("UV_USE_IO_URING");
diff --git a/doc/api/cli.md b/doc/api/cli.md
@@ -2855,6 +2855,22 @@ threadpool by setting the `'UV_THREADPOOL_SIZE'` environment variable to a value
 greater than `4` (its current default value). For more information, see the
 [libuv threadpool documentation][].
 
+### `UV_USE_IO_URING=value`
+
+Enable or disable libuv's use of `io_uring` on supported platforms.
+
+On supported platforms, `io_uring` can significantly improve the performance of
+various asynchronous I/O operations.
+
+`io_uring` is disabled by default due to security concerns. When `io_uring`
+is enabled, applications must not change the user identity of the process at
+runtime, neither through JavaScript functions such as [`process.setuid()`][] nor
+through native addons that can invoke system functions such as [`setuid(2)`][].
+
+This environment variable is implemented by a dependency of Node.js and may be
+removed in future versions of Node.js. No stability guarantees are provided for
+the behavior of this environment variable.
+
 ## Useful V8 options
 
 V8 has its own set of CLI options. Any V8 CLI option that is provided to `node`
@@ -2959,6 +2975,8 @@ done
 [`dnsPromises.lookup()`]: dns.md#dnspromiseslookuphostname-options
 [`import` specifier]: esm.md#import-specifiers
 [`process.setUncaughtExceptionCaptureCallback()`]: process.md#processsetuncaughtexceptioncapturecallbackfn
+[`process.setuid()`]: process.md#processsetuidid
+[`setuid(2)`]: https://man7.org/linux/man-pages/man2/setuid.2.html
 [`tls.DEFAULT_MAX_VERSION`]: tls.md#tlsdefault_max_version
 [`tls.DEFAULT_MIN_VERSION`]: tls.md#tlsdefault_min_version
 [`unhandledRejection`]: process.md#event-unhandledrejection
