Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 19 Jul 2023 09:47:15 +0200
From: Marcus Meissner <>
Cc: Tamas Koczka <>
Subject: Re: Our learnings from 42 Linux kernel exploits, we
 are limiting io_uring


On Fri, Jul 14, 2023 at 08:06:56PM +0200, Solar Designer wrote:
> Hi,
> Thank you for bringing this to oss-security back then.  I have a few
> questions below that I think you could clarify for everyone.  I'll quote
> more of your message than I normally do since it's been a while.


> There's a recent write-up on an exploitation technique that also
> partially describes CVE-2023-21400, "a double free vulnerability in
> io_uring [...] found by Ye Zhang and [Nicolas Wu] last year, affecting
> kernel 5.10. [...] we exploit CVE-2023-21400 with Dirty Pagetable on
> Google Pixel 7."
> Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel
> I wish this vulnerability and exploitation technique were properly
> brought to oss-security on its own, and in a context not limited to
> Google Pixel.  Maybe it will be once the full description is made
> public, as right now the write-up above omits vulnerability detail.
> It appears that this got patched in the July 5 update for Google Pixel:
> Pixel Update Bulletin - July 2023
> Published July 5, 2023
> "For Google devices, security patch levels of 2023-07-05 or later
> address all issues in this bulletin and all issues in the July 2023
> Android Security Bulletin."
> "CVE-2023-21400	A-264663832 *	EoP	Moderate	Kernel io_uring"
> Nothing is mentioned about seccomp-bpf on either of the above web pages,
> although maybe it's factored into the Moderate severity rating?
> I understand that with vulnerability detail still not public you might
> not be able to tell much, but I am wondering whether there's any
> inconsistency here (seccomp-bpf on Android was meant to prevent this,
> but did not?) or just a misunderstanding or something else.  I wonder
> if a vulnerability in io_uring could be such that it's exploitable
> without io_uring access directly from the attacking app.

FWIW we reached out to the Android CNA team, but their statement back
to us was that they pulled quite a number of backport commits into their 5.5
and 5.10 based trees, but did either not specify nor identify specific commits
fixing the issue (or further details) so far.

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.