Integer Overflow or Wraparound vulnerability in io_uring of Linux Kernel allows local attacker to cause memory corruption and escalate privileges to root. This issue affects: Linux Kernel versions prior to 5.4.189; version 5.4.24 and later versions. References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/fs/io_uring.c?h=v5.4.189&id=1a623d361ffe5cecd4244a02f449528416360038 https://kernel.dance/#1a623d361ffe5cecd4244a02f449528416360038
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2087939]
The upstream fix is specifically targeted at -stable kernels, fixing a commit that exists only in those forks. The -stable fix "Fixes:" a custom -stable commit 1a623d361ffe5cecd4244a02f449528416360038, which was intended to mimic ff002b30181d30cdfbca316dadd099c3ca0d739c and 9392a27d88b9707145d713654eb26f0c29789e50 upstream. I think that commit introduced a flaw unique to -stable (sic) kernels. I don't /think/ this flaw exists upstream, or in RHEL9. Jeff, can you help confirm? Thanks, -Eric
Yes, that looks right to me. Upstream always put the reference when the request was freed.
Thanks Jeff. And I should have noticed that io_uring isn't even /enabled/ for RHEL9: [sandeen@host rhel-9]$ cat redhat/configs/ark/generic/CONFIG_IO_URING # CONFIG_IO_URING is not set so of course this is NOTABUG.
Sorry, I meant to close the RHEL9 bug.
This issue was specific to the 5.4 stable tree, releases between 5.4.24 to 5.4.189. Fedora did not ship these kernels.