Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20210511181346.GM12149@mussarela>
Date: Tue, 11 May 2021 15:13:46 -0300
From: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-3491 - Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT
 bypass

It was discovered that io_uring PROVIDE_BUFFERS operation allowed the
MAX_RW_COUNT limit to be bypassed, which led to negative values being used
in mem_rw when reading /proc/<PID>/mem.

Billy Jheng Bing-Jhong (@st424204) of STAR Labs working with Trend Micro's
Zero Day Initiative discovered that this vulnerability could be turned into
a heap overflow. This has been reported as ZDI-CAN-13546, and assigned
CVE-2021-3491.

IORING_OP_PROVIDE_BUFFERS was introduced in commit ddf0322db79c ("io_uring:
add IORING_OP_PROVIDE_BUFFERS") where lengths larger than MAX_RW_COUNT
could be used and accepted. This commit was introduced in 5.7-rc1. It was
not backported to any upstream LTS kernels.

This has been fixed by commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db

Cascardo.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.