oss-sec mailing list archives
Re: Linux Kernel: Exploitable vulnerability in io_uring
From: Solar Designer <solar () openwall com>
Date: Sat, 4 Jun 2022 22:51:19 +0200
Hi, On Sat, Sep 18, 2021 at 02:31:00PM -0500, Valentina Palmiotti wrote:
I'm writing to disclose a Linux Kernel vulnerability I found in the io_uring subsystem. The vulnerability is in fs/io_uring.c at loop_rw_iter. It is a controllable kernel buffer free. Most files implement the file op function read_iter. However, if they don't (such as a procfs file like /proc/<pid>/maps), loop_rw_iter is called to manually perform the iterative read/write of a file. The pointer in req->rw.addr is incremented by the size of the read/write after each segment. In normal cases, req->rw.addr contains a pointer to a userspace buffer to read/write from. However, a user can use the IORING_OP_PROVIDE_BUFFERS command to preselect buffers for I/O operations. If this is the case, req->rw.addr contains a pointer to a kernel buffer (io_buffer structure). This buffer is later freed in io_put_kbuf after the read/write request completes. This gives the ability to free adjacent buffers at a controllable offset. It is accessible from unprivileged, and straight forward to exploit for local privilege escalation. I plan to share the specifics for exploitation in the future. I disclosed the vulnerability to security () kernel org, and the patch has been merged into the mainline kernel. It has also been backported into the affected stable trees: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc CVE-2021-41073 has been reserved by MITRE for this vulnerability
Here's Valentina's writeup on the above (March 16, 2022) and exploit: https://www.graplsecurity.com/post/iou-ring-exploiting-the-linux-kernel https://github.com/chompie1337/Linux_LPE_io_uring_CVE-2021-41073 Ideally, we'd also post (attach) the actual content (not only links) to the list for archival, but this is non-trivial. Valentina, please feel free to do that in a reply if you like, or not if you don't. As far as I can tell, this issue wasn't handled via linux-distros (so the exploit must not have been in there either, and is thus not subject to the mandatory oss-security posting policy), but I did not verify. The writeup above includes:
9/13/2021: Greg K-H responds to my initial report that states I want to coordinate disclosure with the linux-distros mailing list so downstream consumers can apply the patch. He says since most distros sync on stable releases, it is not necessary to get the distro list involved. I don't get the distro list involved.
Alexander
Current thread:
- Re: Linux Kernel: Exploitable vulnerability in io_uring Solar Designer (Jun 04)