1216818 – (CVE-2023-0240) VUL-0: CVE-2023-0240: kernel-source,kernel-source-azure,kernel-source-rt: kernel: io_uring: reference counting issue in io_prep_async_work leads to use-after-free

Bug 1216818 (CVE-2023-0240) - VUL-0: CVE-2023-0240: kernel-source,kernel-source-azure,kernel-source-rt: kernel: io_uring: reference counting issue in io_prep_async_work leads to use-after-free

Summary: VUL-0: CVE-2023-0240: kernel-source,kernel-source-azure,kernel-source-rt: ker...

Status:	RESOLVED INVALID

Alias:	CVE-2023-0240

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/355667/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-0240:7.8:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-02 13:06 UTC by SMASH SMASH
Modified:	2023-11-03 04:36 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-11-02 13:06:34 UTC

There is a logic error in io_uring's implementation which can be used to trigger
a use-after-free vulnerability leading to privilege escalation. In the
io_prep_async_work function the assumption that the last io_grab_identity call
cannot return false is not true, and in this case the function will use the
init_cred or the previous linked requests identity to do operations instead of
using the current identity. This can lead to reference counting issues causing
use-after-free. We recommend upgrading past version 5.10.161.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0240

Comment 1 Marcus Meissner 2023-11-02 13:08:32 UTC

https://github.com/gregkh/linux/commit/1e6fa5216a0e59ef02e8b6b40d553238a3b81d49
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring?h=linux-5.10.y&id=788d0824269bef539fe31a785b1517882eafed93

Comment 2 Marcus Meissner 2023-11-02 13:09:18 UTC

kernel team, as the upstream kernel devs just pulled all of the io_uring stack to fix it, any idea what of our 5.3 and older kernels are affected?

Comment 3 Chester Lin 2023-11-02 14:35:32 UTC

(In reply to Marcus Meissner from comment #2)
> kernel team, as the upstream kernel devs just pulled all of the io_uring
> stack to fix it, any idea what of our 5.3 and older kernels are affected?

Reassigning to a concrete person to ensure progress [1] (feel free to pass to the next one), see also the process at [2].
 
Hi Gabriel,

Could you please take a look at this issue?

IIUC, This bug seems to be introduced by 1e6fa5216a [applied since v5.10-rc1].
By comparing the current cve/linux-5.3 to the 1e6fa5216a, there is a huge difference in io_uring.c, at least no io_prep_async_work() and no io_grab_identity() can be seen in cve/linux-5.3: fs/io_uring.c.
 
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
[2] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security