Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 814464 (CVE-2021-41073)

Summary: Exploitable vulnerability in io_uring
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: KernelAssignee: Gentoo Kernel Security <security-kernel>
Status: RESOLVED INVALID    
Severity: normal CC: sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://marc.info/?l=oss-security&m=163199425823047&w=2
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 814467, 814470    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-09-23 09:06:16 UTC
As reported by sam on #gentoo-kernel:

```
The vulnerability is in fs/io_uring.c at loop_rw_iter. It is a controllable
kernel buffer free.

Most files implement the file op function read_iter. However, if they don't
(such as a procfs file like /proc/<pid>/maps), loop_rw_iter is called to
manually perform the iterative read/write of a file. The pointer
in req->rw.addr is incremented by the size of the read/write after each
segment. In normal cases, req->rw.addr contains a pointer to a userspace
buffer to read/write from. However, a user can use the
IORING_OP_PROVIDE_BUFFERS command to preselect buffers for I/O operations.
If this is the case, req->rw.addr contains a pointer to a kernel buffer
(io_buffer structure). This buffer is later freed in io_put_kbuf after the
read/write request completes.

This gives the ability to free adjacent buffers at a controllable offset.
It is accessible from unprivileged, and straight forward to exploit for
local privilege escalation. I plan to share the specifics for exploitation
in the future.
```
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-26 01:37:27 UTC
Not certain this is a real bug, the commit of the 'Fixes' tag is in the same releases as the fix.