oss-sec mailing list archives
Linux Kernel: Exploitable vulnerability in io_uring
From: Valentina Palmiotti <chompie () graplsecurity com>
Date: Sat, 18 Sep 2021 14:31:00 -0500
Hi, I'm writing to disclose a Linux Kernel vulnerability I found in the io_uring subsystem. The vulnerability is in fs/io_uring.c at loop_rw_iter. It is a controllable kernel buffer free. Most files implement the file op function read_iter. However, if they don't (such as a procfs file like /proc/<pid>/maps), loop_rw_iter is called to manually perform the iterative read/write of a file. The pointer in req->rw.addr is incremented by the size of the read/write after each segment. In normal cases, req->rw.addr contains a pointer to a userspace buffer to read/write from. However, a user can use the IORING_OP_PROVIDE_BUFFERS command to preselect buffers for I/O operations. If this is the case, req->rw.addr contains a pointer to a kernel buffer (io_buffer structure). This buffer is later freed in io_put_kbuf after the read/write request completes. This gives the ability to free adjacent buffers at a controllable offset. It is accessible from unprivileged, and straight forward to exploit for local privilege escalation. I plan to share the specifics for exploitation in the future. I disclosed the vulnerability to security () kernel org, and the patch has been merged into the mainline kernel. It has also been backported into the affected stable trees: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc CVE-2021-41073 has been reserved by MITRE for this vulnerability Best, Valentina
Current thread:
- Linux Kernel: Exploitable vulnerability in io_uring Valentina Palmiotti (Sep 18)