Bugzilla – Bug 1190664
VUL-0: CVE-2021-41073: kernel-source-azure,kernel-source,kernel-source-rt: Linux Kernel: Exploitable vulnerability in io_uring
Last modified: 2023-01-18 17:12:09 UTC
CVE-2021-41073 loop_rw_iter in fs/io_uring.c in the Linux kernel through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41073 http://seclists.org/oss-sec/2021/q3/181 http://www.openwall.com/lists/oss-security/2021/09/18/2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41073 http://www.cvedetails.com/cve/CVE-2021-41073/ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc
fixes: 4017eb91a9e7 is 5.10 and later. was not backport to SLES15-SP3 -> only tumbleweed and 15-sp4 is affected.
The fix - commit 16c8d2df7ec0 ("io_uring: ensure symmetry in handling iter types in loop_rw_iter()") - was merged upstream for 5.15-rc2 and 5.14.7 stable tree. So we'll get it from upstream for Tumbleweed and SLE15-SP4. I'll wait for the patch to land in SLE15-SP4 branch (I expect that to happen on Monday or so) to update the CVE tag.
Nevermind, SLE15-SP4 didn't get the stable update yet. I've just pushed the patch directly there. All done from my side. Reassigning back to the security team.