Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 4 Jun 2022 22:51:19 +0200
From: Solar Designer <solar@...nwall.com>
To: Valentina Palmiotti <chompie@...plsecurity.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Linux Kernel: Exploitable vulnerability in io_uring

Hi,

On Sat, Sep 18, 2021 at 02:31:00PM -0500, Valentina Palmiotti wrote:
> I'm writing to disclose a Linux Kernel vulnerability I found in the
> io_uring subsystem.
> 
> The vulnerability is in fs/io_uring.c at loop_rw_iter. It is a controllable
> kernel buffer free.
> 
> Most files implement the file op function read_iter. However, if they don't
> (such as a procfs file like /proc/<pid>/maps), loop_rw_iter is called to
> manually perform the iterative read/write of a file. The pointer
> in req->rw.addr is incremented by the size of the read/write after each
> segment. In normal cases, req->rw.addr contains a pointer to a userspace
> buffer to read/write from. However, a user can use the
> IORING_OP_PROVIDE_BUFFERS command to preselect buffers for I/O operations.
> If this is the case, req->rw.addr contains a pointer to a kernel buffer
> (io_buffer structure). This buffer is later freed in io_put_kbuf after the
> read/write request completes.
> 
> This gives the ability to free adjacent buffers at a controllable offset.
> It is accessible from unprivileged, and straight forward to exploit for
> local privilege escalation. I plan to share the specifics for exploitation
> in the future.
> 
> I disclosed the vulnerability to security () kernel org, and the patch has
> been merged into the mainline kernel. It has also been backported into the
> affected stable trees:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc
> 
> CVE-2021-41073 has been reserved by MITRE for this vulnerability

Here's Valentina's writeup on the above (March 16, 2022) and exploit:

https://www.graplsecurity.com/post/iou-ring-exploiting-the-linux-kernel
https://github.com/chompie1337/Linux_LPE_io_uring_CVE-2021-41073

Ideally, we'd also post (attach) the actual content (not only links) to
the list for archival, but this is non-trivial.  Valentina, please feel
free to do that in a reply if you like, or not if you don't.

As far as I can tell, this issue wasn't handled via linux-distros (so
the exploit must not have been in there either, and is thus not subject
to the mandatory oss-security posting policy), but I did not verify.
The writeup above includes:

> 9/13/2021: Greg K-H responds to my initial report that states I want to
> coordinate disclosure with the linux-distros mailing list so downstream
> consumers can apply the patch. He says since most distros sync on stable
> releases, it is not necessary to get the distro list involved. I don't
> get the distro list involved.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.