Re: CVE-2022-2602 - Linux kernel io_uring UAF

[David Bouman <dbouman03 () gmail com>]

Hey,

I found this vulnerability independently of ZDI, and reported it to the
maintainers (this email address is stated in the patch).

I can verify that this issue is exploitable on 5.10 as well, the stated
patch does not prevent the issue.

Regards,

David


On Tue, 18 Oct 2022, 19:28 Thadeu Lima de Souza Cascardo <
cascardo () canonical com> wrote:

> A local privilege escalation vulnerabilty involving Unix socket Garbage
> Collection and io_uring was reported and fixed as:
>
> 0091bfc81741b8d3aeb3b7ab8636f911b2de6e80 ("io_uring/af_unix: defer
> registered files gc to io_uring release")
>
> The vulnerability is a use-after-free that happens when an io_uring request
> is being processed on a registered file and the Unix GC runs and frees the
> io_uring fd and all the registered fds. The order at which the Unix GC
> processes the inflight fds may lead to registered fds be freed before the
> io_uring is released and has the chance to unregister and wait for such
> requests to finish.
>
> One way to trigger this race condition is to use userfaultfd and other
> similar strategies that cause the request to be held waiting for the
> attacker to trigger the free.
>
> This issue was reported as ZDI-CAN-17428 and has been assigned
> CVE-2022-2602.
>
> It affects upstream stable 5.4.y, 5.15.y and later versions. 5.10.y may be
> mitigated by the fact that commit 0f2122045b946241a9e549c2a76cea54fa58a7ff
> ("io_uring: don't rely on weak ->files references") is present, but it is
> safer to apply the fixes.
>
> A PoC will be posted in 7 days, on October 25th.
>
> Cascardo.