oss-sec mailing list archives

Linux kernel: io_uring: free of unallocated buffer list in io_register_pbuf_ring()

From: Solar Designer <solar () openwall com>
Date: Mon, 8 Aug 2022 13:20:20 +0200

Hi,

I think this wasn't reported in here before, and has no CVE ID?

Writeup in Chinese dated July 29:

https://dawnslab.jd.com/linux-5.19-rc2_pbuf_ring_0day/

Fix dated July 21, per the writeup included in 5.19-rc8:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ec8516f3b7c40ba7050e6b3a32467e9de451ecdf

Per the Fixes tag, the bug was introduced in May, in:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c7fb19428d67

Alexander

Current thread:

Linux kernel: io_uring: free of unallocated buffer list in io_register_pbuf_ring() Solar Designer (Aug 08)
- Re: Linux kernel: io_uring: free of unallocated buffer list in io_register_pbuf_ring() Florian Weimer (Aug 08)