Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 18 Sep 2021 14:31:00 -0500
From: Valentina Palmiotti <chompie@...plsecurity.com>
To: oss-security@...ts.openwall.com
Subject: Linux Kernel: Exploitable vulnerability in io_uring

Hi,

I'm writing to disclose a Linux Kernel vulnerability I found in the
io_uring subsystem.

The vulnerability is in fs/io_uring.c at loop_rw_iter. It is a controllable
kernel buffer free.

Most files implement the file op function read_iter. However, if they don't
(such as a procfs file like /proc/<pid>/maps), loop_rw_iter is called to
manually perform the iterative read/write of a file. The pointer
in req->rw.addr is incremented by the size of the read/write after each
segment. In normal cases, req->rw.addr contains a pointer to a userspace
buffer to read/write from. However, a user can use the
IORING_OP_PROVIDE_BUFFERS command to preselect buffers for I/O operations.
If this is the case, req->rw.addr contains a pointer to a kernel buffer
(io_buffer structure). This buffer is later freed in io_put_kbuf after the
read/write request completes.

This gives the ability to free adjacent buffers at a controllable offset.
It is accessible from unprivileged, and straight forward to exploit for
local privilege escalation. I plan to share the specifics for exploitation
in the future.

I disclosed the vulnerability to security () kernel org, and the patch has
been merged into the mainline kernel. It has also been backported into the
affected stable trees:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc

CVE-2021-41073 has been reserved by MITRE for this vulnerability

Best,

Valentina

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.