[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Linux Kernel: Exploitable vulnerability in io_uring
From:       Valentina Palmiotti <chompie () graplsecurity ! com>
Date:       2021-09-18 19:31:00
Message-ID: CALoOwW45LdmFC6nmi8H71FVLmaWZh1xTSA74CAZTfN3r4cwZGQ () mail ! gmail ! com
[Download RAW message or body]


Hi,

I'm writing to disclose a Linux Kernel vulnerability I found in the
io_uring subsystem.

The vulnerability is in fs/io_uring.c at loop_rw_iter. It is a controllable
kernel buffer free.

Most files implement the file op function read_iter. However, if they don't
(such as a procfs file like /proc/<pid>/maps), loop_rw_iter is called to
manually perform the iterative read/write of a file. The pointer
in req->rw.addr is incremented by the size of the read/write after each
segment. In normal cases, req->rw.addr contains a pointer to a userspace
buffer to read/write from. However, a user can use the
IORING_OP_PROVIDE_BUFFERS command to preselect buffers for I/O operations.
If this is the case, req->rw.addr contains a pointer to a kernel buffer
(io_buffer structure). This buffer is later freed in io_put_kbuf after the
read/write request completes.

This gives the ability to free adjacent buffers at a controllable offset.
It is accessible from unprivileged, and straight forward to exploit for
local privilege escalation. I plan to share the specifics for exploitation
in the future.

I disclosed the vulnerability to security () kernel org, and the patch has
been merged into the mainline kernel. It has also been backported into the
affected stable trees:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc


CVE-2021-41073 has been reserved by MITRE for this vulnerability

Best,

Valentina



[prev in list] [next in list] [prev in thread] [next in thread]