Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 814464 (CVE-2021-41073) - Exploitable vulnerability in io_uring
Summary: Exploitable vulnerability in io_uring
Status: RESOLVED INVALID
Alias: CVE-2021-41073
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Kernel Security
URL: https://marc.info/?l=oss-security&m=1...
Whiteboard:
Keywords:
Depends on: 814467 814470
Blocks:
  Show dependency tree
 
Reported: 2021-09-23 09:06 UTC by Michał Górny
Modified: 2022-03-26 01:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-09-23 09:06:16 UTC
As reported by sam on #gentoo-kernel:

```
The vulnerability is in fs/io_uring.c at loop_rw_iter. It is a controllable
kernel buffer free.

Most files implement the file op function read_iter. However, if they don't
(such as a procfs file like /proc/<pid>/maps), loop_rw_iter is called to
manually perform the iterative read/write of a file. The pointer
in req->rw.addr is incremented by the size of the read/write after each
segment. In normal cases, req->rw.addr contains a pointer to a userspace
buffer to read/write from. However, a user can use the
IORING_OP_PROVIDE_BUFFERS command to preselect buffers for I/O operations.
If this is the case, req->rw.addr contains a pointer to a kernel buffer
(io_buffer structure). This buffer is later freed in io_put_kbuf after the
read/write request completes.

This gives the ability to free adjacent buffers at a controllable offset.
It is accessible from unprivileged, and straight forward to exploit for
local privilege escalation. I plan to share the specifics for exploitation
in the future.
```
Comment 1 John Helmert III gentoo-dev Security 2022-03-26 01:37:27 UTC
Not certain this is a real bug, the commit of the 'Fixes' tag is in the same releases as the fix.