Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2022-1786: kernel: invalid free in io_uring can lead to local privilege escalation|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Carlos López <carlos.lopez>|
|Component:||Incidents||Assignee:||Security Team bot <security-team>|
|Status:||RESOLVED FIXED||QA Contact:||Security Team bot <security-team>|
|Priority:||P3 - Medium||CC:||ddiss, meissner, mkoutny, osalvador, rgoldwyn, tiwai|
|Found By:||---||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
|Bug Depends on:|
Description Carlos López 2022-05-17 07:37:55 UTC
From linux-distros: Hi there, I recently found a severe invalid-free bug in io_uring subsystem which affects the v5.10.y branch of the Linux kernel. It has been demonstrated that the vulnerability can be exploited to achieve local privilege escalation. The root cause of the bug is a misuse of the identity model in io_uring. When preparing a request, the kernel uses the identity of the current task instead of that of the request task, which causes type confusion and invalid-free when the request is being destroyed. I have contacted email@example.com and we prepared a patch. I requested a 7-day embargo. But the patch is still queued and can be found here: https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.10/io_uring-always-use-original-task-when-preparing-req-identity.patch?id=483736350d203ea0129c3d7c58ed4d12ec1b631b . The vulnerability is confirmed to be able to lead to LPE. If your distro is affected, please apply the patch as soon as possible. Best, Kyle Zeng A kernel crash report: ~~~ [ 6.353149] ================================================================== [ 6.353619] BUG: KASAN: double-free or invalid-free in io_iopoll_complete+0x4e3/0x11a0 [ 6.354056] [ 6.354160] CPU: 3 PID: 73 Comm: kworker/3:1 Not tainted 5.10.115+ #3 [ 6.354556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 6.355090] Workqueue: events delayed_fput [ 6.355353] Call Trace: [ 6.355514] dump_stack+0x7d/0xa3 [ 6.355728] print_address_description.constprop.0+0x1c/0x210 [ 6.356074] ? _raw_spin_lock_irqsave+0x7b/0xd0 [ 6.356343] ? _raw_write_lock_irqsave+0xd0/0xd0 [ 6.356618] ? kasan_save_stack+0x32/0x40 [ 6.356860] ? io_iopoll_complete+0x54e/0x11a0 [ 6.357126] ? io_iopoll_complete+0x4e3/0x11a0 [ 6.357396] kasan_report_invalid_free+0x51/0x80 [ 6.357674] ? io_iopoll_complete+0x4e3/0x11a0 [ 6.357933] __kasan_slab_free+0x141/0x150 [ 6.358180] ? io_iopoll_complete+0x4e3/0x11a0 [ 6.358452] kfree+0x90/0x210 [ 6.358640] io_iopoll_complete+0x4e3/0x11a0 [ 6.358907] ? io_write+0x9d0/0x9d0 [ 6.359125] ? worker_thread+0x559/0x12a0 [ 6.359385] ? io_wq_for_each_worker.isra.0+0x19a/0x270 [ 6.359701] ? io_wqe_worker_send_sig+0x40/0x40 [ 6.359971] io_do_iopoll+0x3d0/0x5e0 [ 6.360202] ? io_iopoll_complete+0x11a0/0x11a0 [ 6.360468] ? _raw_spin_lock_irq+0x76/0xd0 [ 6.360713] io_iopoll_try_reap_events.part.0+0xf7/0x1a0 [ 6.361027] ? io_do_iopoll+0x5e0/0x5e0 [ 6.361273] io_ring_ctx_wait_and_kill+0x1a4/0x580 [ 6.361558] ? io_iopoll_try_reap_events.part.0+0x1a0/0x1a0 [ 6.361901] ? fcntl_setlk+0xc30/0xc30 [ 6.362133] ? __switch_to+0x579/0xf40 [ 6.362358] ? __switch_to_asm+0x42/0x70 [ 6.362590] io_uring_release+0x39/0x50 [ 6.362824] __fput+0x1e4/0x850 [ 6.363012] ? read_word_at_a_time+0xe/0x20 [ 6.363275] delayed_fput+0x49/0x70 [ 6.363488] process_one_work+0x767/0x13f0 [ 6.363744] worker_thread+0x559/0x12a0 [ 6.363984] ? process_one_work+0x13f0/0x13f0 [ 6.364255] kthread+0x315/0x3e0 [ 6.364459] ? kthread_create_worker_on_cpu+0xd0/0xd0 [ 6.364769] ret_from_fork+0x1f/0x30 [ 6.364989] [ 6.365088] Allocated by task 428: [ 6.365296] kasan_save_stack+0x1b/0x40 [ 6.365529] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 6.365816] io_uring_alloc_task_context+0x3e/0x290 [ 6.366116] io_uring_add_task_file+0x18d/0x200 [ 6.366398] __do_sys_io_uring_enter+0xd64/0x1630 [ 6.366687] do_syscall_64+0x33/0x40 [ 6.366916] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 6.367226] [ 6.367341] The buggy address belongs to the object at ffff888102382800 [ 6.367341] which belongs to the cache kmalloc-192 of size 192 [ 6.368101] The buggy address is located 88 bytes inside of [ 6.368101] 192-byte region [ffff888102382800, ffff8881023828c0) [ 6.368802] The buggy address belongs to the page: [ 6.369109] page:00000000f8a39c85 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102382 [ 6.369671] flags: 0x200000000000200(slab) [ 6.369923] raw: 0200000000000200 ffffea00040a9240 0000000200000002 ffff888100043540 [ 6.370384] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 6.370842] page dumped because: kasan: bad access detected [ 6.371183] [ 6.371284] Memory state around the buggy address: [ 6.371592] ffff888102382700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 6.372021] ffff888102382780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 6.372439] >ffff888102382800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 6.372853] ^ [ 6.373204] ffff888102382880: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 6.373618] ffff888102382900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 6.374031] ================================================================== [ 6.374444] Disabling lock debugging due to kernel taint
Comment 5 Carlos López 2022-05-17 09:28:14 UTC
The patch mentions that this only affects kernels with non-native workers (no IORING_FEAT_NATIVE_WORKERS), so this can only be relevant for cve/linux-5.3 or older. IORING_SETUP_IOPOLL is not present in cve/linux-4.12 or older, so that only leaves cve/linux-5.3. I do not see any io_uring patches in queue-5.4, so I'm inclined to say that cve/linux-5.3 would also not be affected. Could you please confirm? The code looks quite different.
Comment 12 Carlos López 2022-05-25 12:55:18 UTC
Comment 15 Goldwyn Rodrigues 2022-07-29 16:04:43 UTC
This does not affect any of our enterprise releases. I checked cve/linux-5.3 and it does not have any instance where context variable is initiated by current->io_uring rather than the passed request. As pointed out this bug was introduced in later kernels.
Comment 16 Carlos López 2022-08-01 07:18:50 UTC
Closing, as our kernels are not affected.