Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 11 May 2021 15:13:46 -0300
From: Thadeu Lima de Souza Cascardo <>
Subject: CVE-2021-3491 - Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT

It was discovered that io_uring PROVIDE_BUFFERS operation allowed the
MAX_RW_COUNT limit to be bypassed, which led to negative values being used
in mem_rw when reading /proc/<PID>/mem.

Billy Jheng Bing-Jhong (@st424204) of STAR Labs working with Trend Micro's
Zero Day Initiative discovered that this vulnerability could be turned into
a heap overflow. This has been reported as ZDI-CAN-13546, and assigned

IORING_OP_PROVIDE_BUFFERS was introduced in commit ddf0322db79c ("io_uring:
add IORING_OP_PROVIDE_BUFFERS") where lengths larger than MAX_RW_COUNT
could be used and accepted. This commit was introduced in 5.7-rc1. It was
not backported to any upstream LTS kernels.

This has been fixed by commit:


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.