Date: Tue, 24 May 2022 09:10:37 -0700 From: Kyle Zeng <zengyhkyle@...il.com> To: oss-security@...ts.openwall.com Subject: CVE-2022-1786: Linux Kernel invalid-free in io_uring Hi there, I recently found a severe invalid-free bug in the io_uring subsystem which affects Linux kernel v5.10. It has been demonstrated that the vulnerability can be exploited to achieve local privilege escalation. # Root Cause The root cause of the bug is a misuse of the identity model in io_uring. When preparing a request, the kernel uses the identity of the current task instead of that of the request task, which causes type confusion and invalid-free when the request needs to be destroyed. # Impact I wrote a proof-of-concept exploit and demonstrated that it can be used to achieve local privilege escalation. # Affected Versions To the best of my knowledge, this bug only affects Linux kernel v5.10 and v5.11 because of their unique identity model in io_uring. But it still affects many users because of some widely used vendors (Android 12, ChromeOS, etc). # Disclosure & Patch I already contacted the Linux security team and prepared a patch. The patch has been merged into the Linux kernel stable tree and it can be found here: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.10.y&id=29f077d070519a88a793fbc70f1e6484dc6d9e35. I also informed the vendors and gave enough time for them to patch the bug before this public disclosure. -- Kyle Zeng
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.