Bug 2127890 (CVE-2022-3176) - CVE-2022-3176 kernel: use-after-free in io_uring for POLLFREE notification with Signalfd_poll() and binder_poll()
Summary: CVE-2022-3176 kernel: use-after-free in io_uring for POLLFREE notification wi...
Keywords:
Status: NEW
Alias: CVE-2022-3176
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2127891 2127898 2127899
Blocks: 2127526
TreeView+ depends on / blocked
 
Reported: 2022-09-19 10:07 UTC by Alex
Modified: 2023-09-26 20:50 UTC (History)
49 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in io_uring in the Linux kernel. This flaw allows a local user to trigger the issue if a signalfd or binder fd is polled with the io_uring poll due to a lack of io_uring POLLFREE handling.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Alex 2022-09-19 10:07:02 UTC 
A flaw use-after-free in io_uring in the Linux kernel found.
Local user can trigger it if a signalfd or binder fd is polled with io_uring poll, because of lack io_uring POLLFREE handling.

References:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fc78b2fc21f10c4c9c4d5d659a685710ffa63659
https://kernel.dance/#fc78b2fc21f10c4c9c4d5d659a685710ffa63659
Comment 1 Alex 2022-09-19 10:07:28 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2127891]
Comment 5 Justin M. Forbes 2022-10-04 15:02:20 UTC 
This was fixed for Fedora with the 5.17.x kernel rebases.
Note You need to log in before you can comment on or make changes to this bug.