Bug 2165852 (CVE-2023-0240) - CVE-2023-0240 kernel: io_uring: reference counting issue in io_prep_async_work leads to use-after-free
Summary: CVE-2023-0240 kernel: io_uring: reference counting issue in io_prep_async_wor...
Alias: CVE-2023-0240
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2165853
Blocks: 2165714
TreeView+ depends on / blocked
Reported: 2023-01-31 09:24 UTC by Mauro Matteo Cascella
Modified: 2023-02-02 00:25 UTC (History)
37 users (show)

Fixed In Version: kernel 5.10
Doc Type: If docs needed, set a value
Doc Text:
A logic error was found in the io_uring subsystem of the Linux kernel. This issue occurs due to an incorrect assumption that the last io_grab_identity call could not return false in the io_prep_async_work function, leading to reference counting issues and a use-after-free issue. This could allow a local user to crash or escalate their privileges on the system.
Clone Of:
Last Closed: 2023-02-02 00:25:56 UTC

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-01-31 09:24:05 UTC
There is a logic error in io_uring's implementation which can be used to trigger a use-after-free vulnerability leading to privilege escalation. In the io_prep_async_work function the assumption that the last io_grab_identity call cannot return false is not true, and in this case the function will use the init_cred or the previous linked requests identity to do operations instead of using the current identity. This can lead to reference counting issues causing use-after-free.

Upstream fix:

Comment 1 Mauro Matteo Cascella 2023-01-31 09:24:31 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2165853]

Comment 2 Justin M. Forbes 2023-01-31 21:38:19 UTC
This was fixed for Fedora with the 5.10 stable kernel rebases in 2020.

Comment 3 Product Security DevOps Team 2023-02-02 00:25:52 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.