oss-sec mailing list archives
CVE-2023-1032 - Linux kernel io_uring IORING_OP_SOCKET double free
From: Thadeu Lima de Souza Cascardo <cascardo () canonical com>
Date: Mon, 13 Mar 2023 17:06:10 -0300
A double-free vulnerability was found in the handling of IORING_OP_SOCKET operation with io_uring on the Linux kernel. It was fixed by commit: 649c15c7691e9b13cbe9bf6c65c365350e056067 ("net: avoid double iput when sock_alloc_file fails") It has been assigned CVE-2023-1032. It affects kernel versions starting with 5.19-rc1 and should affect any backports including commits da214a475f8bd1d3e9e7a19ddfeb4d1617551bab ("net: add __sys_socket_file()") and 1374e08e2d44863c931910797852589803997668 ("io_uring: add socket(2) support"). It requires a memory allocation failure to happen, which will be followed by a double free of a recently allocated object. Causing the memory allocation failure does not require much more than being in a memory cgroup with a maximum allocation setup (systemd MemoryMax, for example). The double free happens with iput, which sets up a flag, and leads to a BUG_ON. So, at least, a system crash is possible. Cascardo.
Current thread:
- CVE-2023-1032 - Linux kernel io_uring IORING_OP_SOCKET double free Thadeu Lima de Souza Cascardo (Mar 13)