Re: Linux kernel io_uring out-of-bounds access to physical memory

[Solar Designer <solar () openwall com>]

On Mon, May 08, 2023 at 04:01:59PM +0200, Tobias Holl wrote:
> TL;DR bug reproduction steps:
>  1. Create a memfd
>  2. fallocate a single page in that file descriptor
>  3. Use MAP_FIXED to map this page repeatedly, in consecutive locations
>  4. Register the entire region that you just filled up with that page as
>     a fixed buffer with IORING_REGISTER_BUFFERS
>  5. Use IORING_OP_WRITE_FIXED to write the buffer to some other file
>     (OOB read) or IORING_OP_READ_FIXED to read data into the buffer (OOB
>     write).
>
> Of course, from there, we can simply find any interesting object in
> physical memory and start overwriting function pointers to get code
> execution and escalate privileges. A full proof-of-concept exploit with
> a bit more robustness can be found at
>   https://tholl.xyz/static/bugs/2023-io_uring-fixed-buffers/exploit.c

I initially overlooked that the exploit was only shared by reference.
Let's have it right in here for archival.  Attached.

Alexander

Attachment: exploit.c
Description: