oss-sec mailing list archives
CVE-2022-1786: Linux Kernel invalid-free in io_uring
From: Kyle Zeng <zengyhkyle () gmail com>
Date: Tue, 24 May 2022 09:10:37 -0700
Hi there, I recently found a severe invalid-free bug in the io_uring subsystem which affects Linux kernel v5.10. It has been demonstrated that the vulnerability can be exploited to achieve local privilege escalation. # Root Cause The root cause of the bug is a misuse of the identity model in io_uring. When preparing a request, the kernel uses the identity of the current task instead of that of the request task, which causes type confusion and invalid-free when the request needs to be destroyed. # Impact I wrote a proof-of-concept exploit and demonstrated that it can be used to achieve local privilege escalation. # Affected Versions To the best of my knowledge, this bug only affects Linux kernel v5.10 and v5.11 because of their unique identity model in io_uring. But it still affects many users because of some widely used vendors (Android 12, ChromeOS, etc). # Disclosure & Patch I already contacted the Linux security team and prepared a patch. The patch has been merged into the Linux kernel stable tree and it can be found here: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=29f077d070519a88a793fbc70f1e6484dc6d9e35. I also informed the vendors and gave enough time for them to patch the bug before this public disclosure. -- Kyle Zeng
Current thread:
- CVE-2022-1786: Linux Kernel invalid-free in io_uring Kyle Zeng (May 24)
- Re: CVE-2022-1786: Linux Kernel invalid-free in io_uring Solar Designer (May 24)
- Re: CVE-2022-1786: Linux Kernel invalid-free in io_uring Kyle Zeng (May 24)
- Re: CVE-2022-1786: Linux Kernel invalid-free in io_uring Kyle Zeng (May 28)
- Re: CVE-2022-1786: Linux Kernel invalid-free in io_uring Kyle Zeng (May 24)
- Re: CVE-2022-1786: Linux Kernel invalid-free in io_uring Solar Designer (May 24)