Bug 2203054 (CVE-2023-2598)
| Summary: | CVE-2023-2598 kernel: io_uring out-of-bounds access to physical memory | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Rohit Keshri <rkeshri> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acaringi, allarkin, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, ldoskova, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kernel 6.4-rc1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the fixed buffer registration code for io_uring (io_sqe_buffer_register in io_uring/rsrc.c) in the Linux kernel that allows out-of-bounds access to physical memory beyond the end of the buffer. This flaw enables full local privilege escalation.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-11 11:13:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2211100, 2211101 | ||
| Bug Blocks: | 2196300 | ||
There was no shipped kernel version were seen affected with this problem. These files are not built in our source code. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-2598 |
A vulnerability in the fixed buffer registration code for io_uring (io_sqe_buffer_register in io_uring/rsrc.c) allows out-of-bounds access to physical memory beyond the end of the buffer. This can be used to achieve full local privilege escalation. The vulnerable code landed in 6.3-rc1 with commit 57bebf807e2a ("io_uring/rsrc: optimise registered huge pages")¹. A fix has been committed upstream for 6.4-rc1 in commit 776617db78c6 ("io_uring/rsrc: check for nonconsecutive pages")². The fix has also been staged³ for 6.3.2. Reference: https://www.openwall.com/lists/oss-security/2023/05/08/3