Bug 1216818 (CVE-2023-0240)

Summary:	VUL-0: CVE-2023-0240: kernel-source,kernel-source-azure,kernel-source-rt: kernel: io_uring: reference counting issue in io_prep_async_work leads to use-after-free
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED INVALID	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	chester.lin, gabriel.bertazi, meissner, stoyan.manolov, uemit.arslan
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/355667/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-0240:7.8:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2023-11-02 13:06:34 UTC

There is a logic error in io_uring's implementation which can be used to trigger
a use-after-free vulnerability leading to privilege escalation. In the
io_prep_async_work function the assumption that the last io_grab_identity call
cannot return false is not true, and in this case the function will use the
init_cred or the previous linked requests identity to do operations instead of
using the current identity. This can lead to reference counting issues causing
use-after-free. We recommend upgrading past version 5.10.161.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0240

Comment 1 Marcus Meissner 2023-11-02 13:08:32 UTC

https://github.com/gregkh/linux/commit/1e6fa5216a0e59ef02e8b6b40d553238a3b81d49
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring?h=linux-5.10.y&id=788d0824269bef539fe31a785b1517882eafed93

Comment 2 Marcus Meissner 2023-11-02 13:09:18 UTC

kernel team, as the upstream kernel devs just pulled all of the io_uring stack to fix it, any idea what of our 5.3 and older kernels are affected?

Comment 3 Chester Lin 2023-11-02 14:35:32 UTC

(In reply to Marcus Meissner from comment #2)
> kernel team, as the upstream kernel devs just pulled all of the io_uring
> stack to fix it, any idea what of our 5.3 and older kernels are affected?

Reassigning to a concrete person to ensure progress [1] (feel free to pass to the next one), see also the process at [2].
 
Hi Gabriel,

Could you please take a look at this issue?

IIUC, This bug seems to be introduced by 1e6fa5216a [applied since v5.10-rc1].
By comparing the current cve/linux-5.3 to the 1e6fa5216a, there is a huge difference in io_uring.c, at least no io_prep_async_work() and no io_grab_identity() can be seen in cve/linux-5.3: fs/io_uring.c.
 
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
[2] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security