Bug 2222087 (CVE-2023-21400)

Summary: CVE-2023-21400 kernel: io_uring: io_defer_entry object double free vulnerability
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, guazhang, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, jmoyer, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, ldoskova, lgoncalv, lzampier, nmurray, ptalbert, qzhao, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, tglozar, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A double-free vulnerability was found in the io_uring subsystem in the Linux kernel. This issue may allow a malicious local user to crash the kernel or elevate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2222099, 2222100    
Bug Blocks: 2222077    

Description Mauro Matteo Cascella 2023-07-11 18:30:39 UTC 
A double free vulnerability was found in io_uring, affecting the Linux kernel 5.10. Nicolas Wu and Ye Zhang were able to exploit this flaw with Dirty Pagetable to bypass all the mitigation techniques deployed on the latest Google Pixel 7 and achieve local privilege escalation.

References:
https://source.android.com/docs/security/bulletin/pixel/2023-07-01
https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html
https://www.openwall.com/lists/oss-security/2023/07/14/2
Comment 3 guazhang@redhat.com 2023-07-13 00:33:15 UTC 
Hi,

Any reproducer here or test steps, and how to verify the bug in RHEL ?
Comment 4 Mauro Matteo Cascella 2023-07-16 10:14:38 UTC 
Hi,

> Any reproducer here or test steps, and how to verify the bug in RHEL ?

No reproducer available and vulnerability details are not yet public (see references in comment 0).
Comment 6 Mauro Matteo Cascella 2023-07-25 15:04:12 UTC 
The "Dirty Pagetable" article has been updated with exploit information. As for the fix, see https://www.openwall.com/lists/oss-security/2023/07/25/9.

Upstream commit:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.15.y&id=fb348857e7b67eefe365052f1423427b66dedbf3