CVE-2022-1786: Linux Kernel invalid-free in io_uring

[Kyle Zeng <zengyhkyle () gmail com>]

Hi there,

I recently found a severe invalid-free bug in the io_uring subsystem
which affects Linux kernel v5.10. It has been demonstrated that the
vulnerability can be exploited to achieve local privilege escalation.

# Root Cause
The root cause of the bug is a misuse of the identity model in
io_uring. When preparing a request, the kernel uses the identity of
the current task instead of that of the request task, which causes
type confusion and invalid-free when the request needs to be
destroyed.

# Impact
I wrote a proof-of-concept exploit and demonstrated that it can be
used to achieve local privilege escalation.

# Affected Versions
To the best of my knowledge, this bug only affects Linux kernel v5.10
and v5.11 because of their unique identity model in io_uring. But it
still affects many users because of some widely used vendors (Android
12, ChromeOS, etc).

# Disclosure & Patch
I already contacted the Linux security team and prepared a patch. The
patch has been merged into the Linux kernel stable tree and it can be
found here: 
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=29f077d070519a88a793fbc70f1e6484dc6d9e35.

I also informed the vendors and gave enough time for them to patch the
bug before this public disclosure.

--
Kyle Zeng