CVE-2023-1032 - Linux kernel io_uring IORING_OP_SOCKET double free

[Thadeu Lima de Souza Cascardo <cascardo () canonical com>]

A double-free vulnerability was found in the handling of IORING_OP_SOCKET
operation with io_uring on the Linux kernel.

It was fixed by commit:

649c15c7691e9b13cbe9bf6c65c365350e056067 ("net: avoid double iput when sock_alloc_file fails")

It has been assigned CVE-2023-1032.

It affects kernel versions starting with 5.19-rc1 and should affect any
backports including commits da214a475f8bd1d3e9e7a19ddfeb4d1617551bab ("net: add
__sys_socket_file()") and 1374e08e2d44863c931910797852589803997668 ("io_uring:
add socket(2) support").

It requires a memory allocation failure to happen, which will be followed by a
double free of a recently allocated object.

Causing the memory allocation failure does not require much more than being in
a memory cgroup with a maximum allocation setup (systemd MemoryMax, for
example).

The double free happens with iput, which sets up a flag, and leads to a BUG_ON.
So, at least, a system crash is possible.

Cascardo.