'Re: [oss-security] Linux: UaF due to concurrency issue in io_uring timeouts'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Linux: UaF due to concurrency issue in io_uring timeouts
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2022-04-22 16:02:58
Message-ID: YmLRsltx7Y1s0vo2 () eldamar ! lan
[Download RAW message or body]

Hi David,

On Fri, Apr 22, 2022 at 02:43:27AM +0200, David Bouman wrote:
> Hello list,
> 
> We (Jayden Rivers and David Bouman) are disclosing a bug we found in the
> Linux kernel's io_uring subsystem. We have written a local privilege
> escalation PoC that can successfully elevate to system root from an
> unprivileged process (in a container). We will be releasing a blog post
> (including exploit code) in a week or two. It should be noted that unlike
> many Linux vulnerabilities that have surfaced recently, triggering this one
> does not require an attacker to have any kind of privileges (e.g. in a user
> namespace). This leaves many systems vulnerable.
> 
> We are still looking for a CNA representative that can assign a CVE number
> for this vulnerability; please contact us!
> 
> Kernel versions 5.10+ are affected, and linux-stable patches are already
> pushed. The upstream patch commit is
> e677edbcabee849bfdd43f1602bccbecf736a646 ("io_uring: fix race between
> timeout flush and removal").
> 
> When the IORING_OP_TIMEOUT (T) and IORING_OP_LINK_TIMEOUT (LT) opcodes are
> combined in a linked submission queue entry, and another request (B)
> finishes, a race might occur: namely, when due to the completion of B, T is
> cancelled (through the completion event count), and LT is canceled by its
> hrtimer at the same time. Whilst T is still being cleaned up, LT is already
> freed by a different execution context, and since they are linked, the
> cleanup of T retains a dangling reference to the now-freed LT. Hence,
> there's a use-after-free.
> 
> Exploitation-wise, the attacker can reallocate LT to another `struct
> io_kiocb` and defer the UaF to e.g. a `struct file` (this is the technique
> we will describe in aforementioned blog post).
> 
> The race window is quite tight and the scenario is complicated, so the race
> can only be won very infrequently in our experience.
> 
> It is advised to upgrade your kernel to latest ASAP.
> 
> Greetings,
> 
> Jayden Rivers & David Bouman

This has CVE-2022-29582 assigned.

https://www.cve.org/CVERecord?id=CVE-2022-29582

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic