Bug 2087936 (CVE-2022-1116)

Summary: CVE-2022-1116 kernel: Integer Overflow or Wraparound vulnerability in io_uring
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, chwhite, crwood, ddepaula, dvlasenk, esandeen, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, jmoyer, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, steved, vkumar, walters, williams
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-25 14:48:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2087939, 2089127, 2089128    
Bug Blocks: 2087940    

Description Guilherme de Almeida Suckevicz 2022-05-18 14:57:41 UTC 
Integer Overflow or Wraparound vulnerability in io_uring of Linux Kernel allows local attacker to cause memory corruption and escalate privileges to root. This issue affects: Linux Kernel versions prior to 5.4.189; version 5.4.24 and later versions.

References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/fs/io_uring.c?h=v5.4.189&id=1a623d361ffe5cecd4244a02f449528416360038
https://kernel.dance/#1a623d361ffe5cecd4244a02f449528416360038
Comment 1 Guilherme de Almeida Suckevicz 2022-05-18 14:59:03 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2087939]
Comment 6 Eric Sandeen 2022-05-24 18:09:19 UTC 
The upstream fix is specifically targeted at -stable kernels, fixing a commit that exists only in those forks.

The -stable fix "Fixes:" a custom -stable commit 1a623d361ffe5cecd4244a02f449528416360038, which was intended to mimic ff002b30181d30cdfbca316dadd099c3ca0d739c and 9392a27d88b9707145d713654eb26f0c29789e50 upstream.  I think that commit introduced a flaw unique to -stable (sic) kernels.

I don't /think/ this flaw exists upstream, or in RHEL9.

Jeff, can you help confirm?

Thanks,
-Eric
Comment 7 Jeff Moyer 2022-05-25 02:30:15 UTC 
Yes, that looks right to me.  Upstream always put the reference when the request was freed.
Comment 8 Eric Sandeen 2022-05-25 14:48:28 UTC 
Thanks Jeff. And I should have noticed that io_uring isn't even /enabled/ for RHEL9:

[sandeen@host rhel-9]$ cat redhat/configs/ark/generic/CONFIG_IO_URING
# CONFIG_IO_URING is not set

so of course this is NOTABUG.
Comment 9 Eric Sandeen 2022-05-25 15:02:54 UTC 
Sorry, I meant to close the RHEL9 bug.
Comment 11 Justin M. Forbes 2022-06-29 16:16:52 UTC 
This issue was specific to the 5.4 stable tree, releases between 5.4.24 to 5.4.189. Fedora did not ship these kernels.