Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 10 May 2023 01:14:34 +0200
From: Solar Designer <solar@...nwall.com>
To: Tobias Holl <tobias@...ll.xyz>
Cc: oss-security@...ts.openwall.com
Subject: Re: Linux kernel io_uring out-of-bounds access to physical memory

On Mon, May 08, 2023 at 04:01:59PM +0200, Tobias Holl wrote:
> a bug in the fixed buffer registration code for io_uring
> (io_sqe_buffer_register in io_uring/rsrc.c) allows out-of-bounds access
> to physical memory beyond the end of the buffer. This can be used to
> achieve full local privilege escalation.
> 
> The vulnerable code landed in 6.3-rc1 with commit 57bebf807e2a
> ("io_uring/rsrc: optimise registered huge pages").
> 
> A fix has been committed upstream for 6.4-rc1 in commit 776617db78c6
> ("io_uring/rsrc: check for nonconsecutive pages"). The fix has also
> been staged for 6.3.2.
> 
> CVE assignment for this issue is pending.

This is now CVE-2023-2598.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.