CVE-2021-41073: security - Linux Kernel: Exploitable vulnerability in io_uring

• Products
  • Openwall GNU/*/Linux server OS
  • Linux Kernel Runtime Guard
  • John the Ripper password cracker
    • Free & Open Source for any platform
    • in the cloud
    • Pro for Linux
    • Pro for macOS
  • Wordlists for password cracking
  • passwdqc policy enforcement
    • Free & Open Source for Unix
    • Pro for Windows (Active Directory)
  • yescrypt KDF & password hashing
  • yespower Proof-of-Work (PoW)
  • crypt_blowfish password hashing
  • phpass ditto in PHP
  • tcb better password shadowing
  • Pluggable Authentication Modules
  • scanlogd port scan detector
  • popa3d tiny POP3 daemon
  • blists web interface to mailing lists
  • msulogin single user mode login
  • php_mt_seed mt_rand() cracker
• Services
• Publications
  • Articles
  • Presentations
• Resources
  • Mailing lists
  • Community wiki
  • Source code repositories (GitHub)
  • Source code repositories (CVSweb)
  • File archive & mirrors
  • How to verify digital signatures
  • OVE IDs
• What’s new

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Sat, 18 Sep 2021 14:31:00 -0500 From: Valentina Palmiotti <chompie@…plsecurity.com> To: oss-security@…ts.openwall.com Subject: Linux Kernel: Exploitable vulnerability in io_uring

Hi,

I’m writing to disclose a Linux Kernel vulnerability I found in the io_uring subsystem.

The vulnerability is in fs/io_uring.c at loop_rw_iter. It is a controllable kernel buffer free.

Most files implement the file op function read_iter. However, if they don’t (such as a procfs file like /proc/<pid>/maps), loop_rw_iter is called to manually perform the iterative read/write of a file. The pointer in req->rw.addr is incremented by the size of the read/write after each segment. In normal cases, req->rw.addr contains a pointer to a userspace buffer to read/write from. However, a user can use the IORING_OP_PROVIDE_BUFFERS command to preselect buffers for I/O operations. If this is the case, req->rw.addr contains a pointer to a kernel buffer (io_buffer structure). This buffer is later freed in io_put_kbuf after the read/write request completes.

This gives the ability to free adjacent buffers at a controllable offset. It is accessible from unprivileged, and straight forward to exploit for local privilege escalation. I plan to share the specifics for exploitation in the future.

I disclosed the vulnerability to security () kernel org, and the patch has been merged into the mainline kernel. It has also been backported into the affected stable trees: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc

CVE-2021-41073 has been reserved by MITRE for this vulnerability

Best,

Valentina

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.