oss-sec mailing list archives
CVE-2021-3491 - Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass
From: Thadeu Lima de Souza Cascardo <cascardo () canonical com>
Date: Tue, 11 May 2021 15:13:46 -0300
It was discovered that io_uring PROVIDE_BUFFERS operation allowed the MAX_RW_COUNT limit to be bypassed, which led to negative values being used in mem_rw when reading /proc/<PID>/mem. Billy Jheng Bing-Jhong (@st424204) of STAR Labs working with Trend Micro's Zero Day Initiative discovered that this vulnerability could be turned into a heap overflow. This has been reported as ZDI-CAN-13546, and assigned CVE-2021-3491. IORING_OP_PROVIDE_BUFFERS was introduced in commit ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") where lengths larger than MAX_RW_COUNT could be used and accepted. This commit was introduced in 5.7-rc1. It was not backported to any upstream LTS kernels. This has been fixed by commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db Cascardo.
Current thread:
- CVE-2021-3491 - Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass Thadeu Lima de Souza Cascardo (May 11)