Bug 2254050 (CVE-2024-0582) - CVE-2024-0582 kernel: io_uring: page use-after-free vulnerability via buffer ring mmap [NEEDINFO]
Summary: CVE-2024-0582 kernel: io_uring: page use-after-free vulnerability via buffer ...
Keywords:
Status: NEW
Alias: CVE-2024-0582
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2258515
Blocks: 2254048
TreeView+ depends on / blocked
 
Reported: 2023-12-11 17:51 UTC by Mauro Matteo Cascella
Modified: 2024-04-12 21:02 UTC (History)
48 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:
allarkin: needinfo? (jmoyer)


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-12-11 17:51:31 UTC
Since commit c56e022c0a27 ("io_uring: add support for user mapped provided buffer ring"), landed in Linux 6.4, io_uring makes it possible to allocate, mmap, and deallocate "buffer rings".

A "buffer ring" can be allocated with io_uring_register(..., IORING_REGISTER_PBUF_RING, ...) and later deallocated with io_uring_register(..., IORING_UNREGISTER_PBUF_RING, ...). It can be mapped into userspace using mmap() with offset IORING_OFF_PBUF_RING|..., which creates a VM_PFNMAP mapping, meaning the MM subsystem will treat the mapping as a set of opaque page frame numbers not associated with any corresponding pages; this implies that the calling code is responsible for ensuring that the mapped memory can not be freed before the userspace mapping is removed.

However, there is no mechanism to ensure this in io_uring: It is possible to just register a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then free the buffer ring's pages with IORING_UNREGISTER_PBUF_RING, leaving free pages mapped into userspace, which is a fairly easily exploitable situation.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c392cbecd8eca4c53f2bf508731257d9d0a21c2d

Comment 6 Alex 2024-01-15 19:02:01 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2258515]

Comment 8 Justin M. Forbes 2024-01-15 19:28:06 UTC
This was fixed for fedora with the 6.6.5 stable kernel updates.


Note You need to log in before you can comment on or make changes to this bug.