oss-sec mailing list archives

Re: Linux kernel io_uring out-of-bounds access to physical memory

From: Solar Designer <solar () openwall com>
Date: Wed, 10 May 2023 01:14:34 +0200

On Mon, May 08, 2023 at 04:01:59PM +0200, Tobias Holl wrote:

a bug in the fixed buffer registration code for io_uring
(io_sqe_buffer_register in io_uring/rsrc.c) allows out-of-bounds access
to physical memory beyond the end of the buffer. This can be used to
achieve full local privilege escalation.

The vulnerable code landed in 6.3-rc1 with commit 57bebf807e2a
("io_uring/rsrc: optimise registered huge pages").

A fix has been committed upstream for 6.4-rc1 in commit 776617db78c6
("io_uring/rsrc: check for nonconsecutive pages"). The fix has also
been staged for 6.3.2.

CVE assignment for this issue is pending.


This is now CVE-2023-2598.

Alexander

Current thread:

Linux kernel io_uring out-of-bounds access to physical memory Tobias Holl (May 08)
- Re: Linux kernel io_uring out-of-bounds access to physical memory Solar Designer (May 09)
- Re: Linux kernel io_uring out-of-bounds access to physical memory Solar Designer (May 10)