Date: Tue, 11 May 2021 15:13:46 -0300 From: Thadeu Lima de Souza Cascardo <cascardo@...onical.com> To: oss-security@...ts.openwall.com Subject: CVE-2021-3491 - Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass It was discovered that io_uring PROVIDE_BUFFERS operation allowed the MAX_RW_COUNT limit to be bypassed, which led to negative values being used in mem_rw when reading /proc/<PID>/mem. Billy Jheng Bing-Jhong (@st424204) of STAR Labs working with Trend Micro's Zero Day Initiative discovered that this vulnerability could be turned into a heap overflow. This has been reported as ZDI-CAN-13546, and assigned CVE-2021-3491. IORING_OP_PROVIDE_BUFFERS was introduced in commit ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") where lengths larger than MAX_RW_COUNT could be used and accepted. This commit was introduced in 5.7-rc1. It was not backported to any upstream LTS kernels. This has been fixed by commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db Cascardo.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.