A vulnerability in the fixed buffer registration code for io_uring
(io_sqe_buffer_register in io_uring/rsrc.c) allows out-of-bounds access
to physical memory beyond the end of the buffer. This can be used to
achieve full local privilege escalation.
The vulnerable code landed in 6.3-rc1 with commit 57bebf807e2a
("io_uring/rsrc: optimise registered huge pages")¹.
A fix has been committed upstream for 6.4-rc1 in commit 776617db78c6
("io_uring/rsrc: check for nonconsecutive pages")². The fix has also
been staged³ for 6.3.2.
There was no shipped kernel version were seen affected with this problem. These files are not built in our source code.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):