In the Linux kernel before 5.4.2, the io_uring feature leads to requests that inadvertently have UID 0 and full capabilities. This is related to fs/io-wq.c, fs/io_uring.c, and net/socket.c. For example, an attacker can bypass intended restrictions on adding an IPv4 address to the loopback interface. This occurs because IORING_OP_SENDMSG operations, although requested in the context of an unprivileged user, are sometimes performed by a kernel worker thread without considering that context. Reference: https://bugs.chromium.org/p/project-zero/issues/detail?id=1975 Upstream commits: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=181e448d8709e517c9c7b523fcd209f24eb38ca7 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d69e07793f891524c6bbf1e75b9ae69db4450953
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1784945]
This is fixed for Fedora with the 5.3.15 stable kernel updates.
Statement: At this time, no Red Hat Enterprise Linux products ship with support for this feature. There is an outstanding feature request for io_uring to be included with Red Hat Enterprise Linux 8.
Feature request here: https://bugzilla.redhat.com/show_bug.cgi?id=1706143 Engineering has been made aware of the patches required to fix the CVE in that feature request and product security's request to have these patches included pre-release.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19241