oss-sec mailing list archives
Re: Linux kernel io_uring out-of-bounds access to physical memory
From: Solar Designer <solar () openwall com>
Date: Wed, 10 May 2023 01:14:34 +0200
On Mon, May 08, 2023 at 04:01:59PM +0200, Tobias Holl wrote:
a bug in the fixed buffer registration code for io_uring (io_sqe_buffer_register in io_uring/rsrc.c) allows out-of-bounds access to physical memory beyond the end of the buffer. This can be used to achieve full local privilege escalation. The vulnerable code landed in 6.3-rc1 with commit 57bebf807e2a ("io_uring/rsrc: optimise registered huge pages"). A fix has been committed upstream for 6.4-rc1 in commit 776617db78c6 ("io_uring/rsrc: check for nonconsecutive pages"). The fix has also been staged for 6.3.2. CVE assignment for this issue is pending.
This is now CVE-2023-2598. Alexander
Current thread:
- Linux kernel io_uring out-of-bounds access to physical memory Tobias Holl (May 08)
- Re: Linux kernel io_uring out-of-bounds access to physical memory Solar Designer (May 09)
- Re: Linux kernel io_uring out-of-bounds access to physical memory Solar Designer (May 10)