Re: Linux Kernel: Exploitable vulnerability in io_uring

[Solar Designer <solar () openwall com>]

Hi,

On Sat, Sep 18, 2021 at 02:31:00PM -0500, Valentina Palmiotti wrote:
> I'm writing to disclose a Linux Kernel vulnerability I found in the
> io_uring subsystem.
>
> The vulnerability is in fs/io_uring.c at loop_rw_iter. It is a controllable
> kernel buffer free.
>
> Most files implement the file op function read_iter. However, if they don't
> (such as a procfs file like /proc/<pid>/maps), loop_rw_iter is called to
> manually perform the iterative read/write of a file. The pointer
> in req->rw.addr is incremented by the size of the read/write after each
> segment. In normal cases, req->rw.addr contains a pointer to a userspace
> buffer to read/write from. However, a user can use the
> IORING_OP_PROVIDE_BUFFERS command to preselect buffers for I/O operations.
> If this is the case, req->rw.addr contains a pointer to a kernel buffer
> (io_buffer structure). This buffer is later freed in io_put_kbuf after the
> read/write request completes.
>
> This gives the ability to free adjacent buffers at a controllable offset.
> It is accessible from unprivileged, and straight forward to exploit for
> local privilege escalation. I plan to share the specifics for exploitation
> in the future.
>
> I disclosed the vulnerability to security () kernel org, and the patch has
> been merged into the mainline kernel. It has also been backported into the
> affected stable trees:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc
>
> CVE-2021-41073 has been reserved by MITRE for this vulnerability

Here's Valentina's writeup on the above (March 16, 2022) and exploit:

https://www.graplsecurity.com/post/iou-ring-exploiting-the-linux-kernel
https://github.com/chompie1337/Linux_LPE_io_uring_CVE-2021-41073

Ideally, we'd also post (attach) the actual content (not only links) to
the list for archival, but this is non-trivial.  Valentina, please feel
free to do that in a reply if you like, or not if you don't.

As far as I can tell, this issue wasn't handled via linux-distros (so
the exploit must not have been in there either, and is thus not subject
to the mandatory oss-security posting policy), but I did not verify.
The writeup above includes:

> 9/13/2021: Greg K-H responds to my initial report that states I want to
> coordinate disclosure with the linux-distros mailing list so downstream
> consumers can apply the patch. He says since most distros sync on stable
> releases, it is not necessary to get the distro list involved. I don't
> get the distro list involved.

Alexander