[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-3491 - Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass
From:       Thadeu Lima de Souza Cascardo <cascardo () canonical ! com>
Date:       2021-05-11 18:13:46
Message-ID: 20210511181346.GM12149 () mussarela
[Download RAW message or body]

It was discovered that io_uring PROVIDE_BUFFERS operation allowed the
MAX_RW_COUNT limit to be bypassed, which led to negative values being used
in mem_rw when reading /proc/<PID>/mem.

Billy Jheng Bing-Jhong (@st424204) of STAR Labs working with Trend Micro's
Zero Day Initiative discovered that this vulnerability could be turned into
a heap overflow. This has been reported as ZDI-CAN-13546, and assigned
CVE-2021-3491.

IORING_OP_PROVIDE_BUFFERS was introduced in commit ddf0322db79c ("io_uring:
add IORING_OP_PROVIDE_BUFFERS") where lengths larger than MAX_RW_COUNT
could be used and accepted. This commit was introduced in 5.7-rc1. It was
not backported to any upstream LTS kernels.

This has been fixed by commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db


Cascardo.


[prev in list] [next in list] [prev in thread] [next in thread]