oss-sec mailing list archives

Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring

From: Marcus Meissner <meissner () suse de>
Date: Wed, 19 Jul 2023 09:47:15 +0200

Hi,

On Fri, Jul 14, 2023 at 08:06:56PM +0200, Solar Designer wrote:

Hi,

Thank you for bringing this to oss-security back then.  I have a few
questions below that I think you could clarify for everyone.  I'll quote
more of your message than I normally do since it's been a while.

...

There's a recent write-up on an exploitation technique that also
partially describes CVE-2023-21400, "a double free vulnerability in
io_uring [...] found by Ye Zhang and [Nicolas Wu] last year, affecting
kernel 5.10. [...] we exploit CVE-2023-21400 with Dirty Pagetable on
Google Pixel 7."

Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel
https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html

I wish this vulnerability and exploitation technique were properly
brought to oss-security on its own, and in a context not limited to
Google Pixel.  Maybe it will be once the full description is made
public, as right now the write-up above omits vulnerability detail.

It appears that this got patched in the July 5 update for Google Pixel:

Pixel Update Bulletin - July 2023
Published July 5, 2023
https://source.android.com/docs/security/bulletin/pixel/2023-07-01

"For Google devices, security patch levels of 2023-07-05 or later
address all issues in this bulletin and all issues in the July 2023
Android Security Bulletin."

"CVE-2023-21400       A-264663832 *   EoP     Moderate        Kernel io_uring"

Nothing is mentioned about seccomp-bpf on either of the above web pages,
although maybe it's factored into the Moderate severity rating?

I understand that with vulnerability detail still not public you might
not be able to tell much, but I am wondering whether there's any
inconsistency here (seccomp-bpf on Android was meant to prevent this,
but did not?) or just a misunderstanding or something else.  I wonder
if a vulnerability in io_uring could be such that it's exploitable
without io_uring access directly from the attacking app.


FWIW we reached out to the Android CNA team, but their statement back
to us was that they pulled quite a number of backport commits into their 5.5
and 5.10 based trees, but did either not specify nor identify specific commits
fixing the issue (or further details) so far.

Ciao, Marcus

Current thread:

Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Solar Designer (Jul 14)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Marcus Meissner (Jul 19)
  - Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Marcus Meissner (Jul 25)
    - Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Solar Designer (Jul 25)
- Re: Our learnings from 42 Linux kernel exploits, we are limiting io_uring Tamás Koczka (Jul 19)