Bug 2174754 (CVE-2023-23586)

Summary: CVE-2023-23586 kernel: io_uring: read use-after-free can lead to kernel memory leak
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, bhu, chwhite, crwood, ddepaula, debarbos, dfreiber, dhoward, dvlasenk, ezulian, fhrbata, hkrzesin, jarod, jburrell, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rogbas, rvrbovsk, scweaver, tyberry, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.12 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was discovered in the Linux kernel's io_uring subsystem. It was found that it is possible to insert a time namespace's vvar page to process memory space via a page fault. When this time namespace is destroyed, the vvar page is also freed, but not removed from the process' memory, and a next page allocated by the kernel will be still available from the user-space process. This (read-only) use-after-free vulnerability can lead to kernel memory leak.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-02 13:40:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2171897    

Description Mauro Matteo Cascella 2023-03-02 11:40:01 UTC 
Due to a vulnerability in the io_uring subsystem, it is possible to leak kernel memory information to the user process. timens_install calls current_is_single_threaded to determine if the current process is single-threaded, but this call does not consider io_uring's io_worker threads, thus it is possible to insert a time namespace's vvar page to process's memory space via a page fault. When this time namespace is destroyed, the vvar page is also freed, but not removed from the process' memory, and a next page allocated by the kernel will be still available from the user-space process and can leak memory contents via this (read-only) use-after-free vulnerability. We recommend upgrading past version 5.10.161 or commit:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring?h=linux-5.10.y&id=788d0824269bef539fe31a785b1517882eafed93
Comment 1 Mauro Matteo Cascella 2023-03-02 11:43:40 UTC 
According to https://www.linuxkernelcves.com/cves/CVE-2023-23586, this flaw was fixed in upstream kernel 5.12 via https://github.com/torvalds/linux/commit/4379bf8bd70b5de6bba7d53015b0c36c57a634ee.