|
Message-ID: <CALoOwW45LdmFC6nmi8H71FVLmaWZh1xTSA74CAZTfN3r4cwZGQ@mail.gmail.com> Date: Sat, 18 Sep 2021 14:31:00 -0500 From: Valentina Palmiotti <chompie@...plsecurity.com> To: oss-security@...ts.openwall.com Subject: Linux Kernel: Exploitable vulnerability in io_uring Hi, I'm writing to disclose a Linux Kernel vulnerability I found in the io_uring subsystem. The vulnerability is in fs/io_uring.c at loop_rw_iter. It is a controllable kernel buffer free. Most files implement the file op function read_iter. However, if they don't (such as a procfs file like /proc/<pid>/maps), loop_rw_iter is called to manually perform the iterative read/write of a file. The pointer in req->rw.addr is incremented by the size of the read/write after each segment. In normal cases, req->rw.addr contains a pointer to a userspace buffer to read/write from. However, a user can use the IORING_OP_PROVIDE_BUFFERS command to preselect buffers for I/O operations. If this is the case, req->rw.addr contains a pointer to a kernel buffer (io_buffer structure). This buffer is later freed in io_put_kbuf after the read/write request completes. This gives the ability to free adjacent buffers at a controllable offset. It is accessible from unprivileged, and straight forward to exploit for local privilege escalation. I plan to share the specifics for exploitation in the future. I disclosed the vulnerability to security () kernel org, and the patch has been merged into the mainline kernel. It has also been backported into the affected stable trees: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc CVE-2021-41073 has been reserved by MITRE for this vulnerability Best, Valentina
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.