Ubuntu
linux-hwe package

race condition in io_uring lead to Local Privilege Escalation

Bug #1989435 reported by neoni on 2022-09-13

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux-hwe (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

Hello. I'm neoni. I would like to report a vulnerability that lead to Use After Free.

An unprivileged attacker may use this vulnerability to root to achieve local privilege escalation.

Here is the detail:
When io_uring does io_sqe_buffers_unregister/io_sqe_files_unregister operation, it will unlock ctx->uring_lock in io_rsrc_ref_quiesce process and later release files/buffers. So an attacker could submit a file/buffer read/write related operation by racing io_rsrc_ref_quiesce process. When files/buffers are released and ctx starts to deal with new sqe, an Use-After-Free will be triggered.

The vulnerability was already patched as a bug in Linux mainstream 5.19 and 6.0(https://github.com/torvalds/linux/commit/d11d31fc5d8a96f707facee0babdcffaafa38de2)(https://github.com/torvalds/linux/commit/b0380bf6dad4601d92025841e2b7a135d566c6e3).

a PoC crashes kernel is attached. It affects most recent ubuntu kernel images as well as some hwe/oem kernel like hwe-5.17.

See original description

Revision history for this message

neoni (neoni) wrote on 2022-09-13:

poc.zip Edit (413.3 KiB, application/zip)

neoni (neoni) on 2022-09-13

affects:

ubuntu → linux-hwe (Ubuntu)

neoni (neoni) on 2022-09-14

description:

updated

Revision history for this message

Thadeu Lima de Souza Cascardo (cascardo) wrote on 2024-01-23:

Thanks, neoni. We appreciate the report. Sorry it took this long to get a response.

Those fixes are already applied in our 5.15 kernels and we don't support 5.19 and 6.0 anymore. Since these have been fixed in 6.1 and later kernels and 5.4 do not carry those features, we consider this issue fixed in all the supported kernels we currently ship.

Thanks again.
Cascardo.