[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Linux: UaF due to concurrency issue in io_uring timeouts
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2022-04-22 16:02:58
Message-ID: YmLRsltx7Y1s0vo2 () eldamar ! lan
[Download RAW message or body]
Hi David,
On Fri, Apr 22, 2022 at 02:43:27AM +0200, David Bouman wrote:
> Hello list,
>
> We (Jayden Rivers and David Bouman) are disclosing a bug we found in the
> Linux kernel's io_uring subsystem. We have written a local privilege
> escalation PoC that can successfully elevate to system root from an
> unprivileged process (in a container). We will be releasing a blog post
> (including exploit code) in a week or two. It should be noted that unlike
> many Linux vulnerabilities that have surfaced recently, triggering this one
> does not require an attacker to have any kind of privileges (e.g. in a user
> namespace). This leaves many systems vulnerable.
>
> We are still looking for a CNA representative that can assign a CVE number
> for this vulnerability; please contact us!
>
> Kernel versions 5.10+ are affected, and linux-stable patches are already
> pushed. The upstream patch commit is
> e677edbcabee849bfdd43f1602bccbecf736a646 ("io_uring: fix race between
> timeout flush and removal").
>
> When the IORING_OP_TIMEOUT (T) and IORING_OP_LINK_TIMEOUT (LT) opcodes are
> combined in a linked submission queue entry, and another request (B)
> finishes, a race might occur: namely, when due to the completion of B, T is
> cancelled (through the completion event count), and LT is canceled by its
> hrtimer at the same time. Whilst T is still being cleaned up, LT is already
> freed by a different execution context, and since they are linked, the
> cleanup of T retains a dangling reference to the now-freed LT. Hence,
> there's a use-after-free.
>
> Exploitation-wise, the attacker can reallocate LT to another `struct
> io_kiocb` and defer the UaF to e.g. a `struct file` (this is the technique
> we will describe in aforementioned blog post).
>
> The race window is quite tight and the scenario is complicated, so the race
> can only be won very infrequently in our experience.
>
> It is advised to upgrade your kernel to latest ASAP.
>
> Greetings,
>
> Jayden Rivers & David Bouman
This has CVE-2022-29582 assigned.
https://www.cve.org/CVERecord?id=CVE-2022-29582
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic