Bug 1959565 (CVE-2021-3491) - CVE-2021-3491 kernel: Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass
Summary: CVE-2021-3491 kernel: Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-3491
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1959566 Red Hat1966635
Blocks: Embargoed1959567
TreeView+ depends on / blocked
 
Reported: 2021-05-11 19:09 UTC by Pedro Sampaio
Modified: 2021-06-15 11:13 UTC (History)
42 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. The io_uring PROVIDE_BUFFERS operation allowed the MAX_RW_COUNT limit to be bypassed, which led to negative values being used in mem_rw when reading /proc/<PID>/mem. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-06-01 14:54:35 UTC

Attachments (Terms of Use)

Description Pedro Sampaio 2021-05-11 19:09:25 UTC 
It was discovered that io_uring PROVIDE_BUFFERS operation allowed the MAX_RW_COUNT limit to be bypassed, which led to negative values being used
in mem_rw when reading /proc/<PID>/mem.

References:

https://www.openwall.com/lists/oss-security/2021/05/11/13
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db
Comment 1 Pedro Sampaio 2021-05-11 19:10:07 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1959566]
Note You need to log in before you can comment on or make changes to this bug.