Bug 1190664 - (CVE-2021-41073) VUL-0: CVE-2021-41073: kernel-source-azure,kernel-source,kernel-source-rt: Linux Kernel: Exploitable vulnerability in io_uring
VUL-0: CVE-2021-41073: kernel-source-azure,kernel-source,kernel-source-rt: Li...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-09-20 09:11 UTC by Marcus Meissner
Modified: 2023-01-18 17:12 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2021-09-20 09:11:57 UTC

loop_rw_iter in fs/io_uring.c in the Linux kernel through 5.14.6 allows local
users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of
a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation.

Comment 1 Marcus Meissner 2021-09-20 09:15:19 UTC
fixes: 4017eb91a9e7 

is 5.10 and later.

was not backport to SLES15-SP3

-> only tumbleweed and 15-sp4 is affected.
Comment 2 Jan Kara 2021-09-24 09:58:00 UTC
The fix - commit 16c8d2df7ec0 ("io_uring: ensure symmetry in handling iter types in loop_rw_iter()") - was merged upstream for 5.15-rc2 and 5.14.7 stable tree. So we'll get it from upstream for Tumbleweed and SLE15-SP4. I'll wait for the patch to land in SLE15-SP4 branch (I expect that to happen on Monday or so) to update the CVE tag.
Comment 3 Jan Kara 2021-10-01 09:55:13 UTC
Nevermind, SLE15-SP4 didn't get the stable update yet. I've just pushed the patch directly there. All done from my side. Reassigning back to the security team.