Bug 1190664 - (CVE-2021-41073) VUL-0: CVE-2021-41073: kernel-source-azure,kernel-source,kernel-source-rt: Linux Kernel: Exploitable vulnerability in io_uring
(CVE-2021-41073)
VUL-0: CVE-2021-41073: kernel-source-azure,kernel-source,kernel-source-rt: Li...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/310391/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-20 09:11 UTC by Marcus Meissner
Modified: 2022-04-17 11:49 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-09-20 09:11:57 UTC
CVE-2021-41073

loop_rw_iter in fs/io_uring.c in the Linux kernel through 5.14.6 allows local
users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of
a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41073
http://seclists.org/oss-sec/2021/q3/181
http://www.openwall.com/lists/oss-security/2021/09/18/2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41073
http://www.cvedetails.com/cve/CVE-2021-41073/
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=16c8d2df7ec0eed31b7d3b61cb13206a7fb930cc
Comment 1 Marcus Meissner 2021-09-20 09:15:19 UTC
fixes: 4017eb91a9e7 

is 5.10 and later.

was not backport to SLES15-SP3

-> only tumbleweed and 15-sp4 is affected.
Comment 2 Jan Kara 2021-09-24 09:58:00 UTC
The fix - commit 16c8d2df7ec0 ("io_uring: ensure symmetry in handling iter types in loop_rw_iter()") - was merged upstream for 5.15-rc2 and 5.14.7 stable tree. So we'll get it from upstream for Tumbleweed and SLE15-SP4. I'll wait for the patch to land in SLE15-SP4 branch (I expect that to happen on Monday or so) to update the CVE tag.
Comment 3 Jan Kara 2021-10-01 09:55:13 UTC
Nevermind, SLE15-SP4 didn't get the stable update yet. I've just pushed the patch directly there. All done from my side. Reassigning back to the security team.