Bug 1199599 - (CVE-2022-1786) VUL-0: CVE-2022-1786: kernel: invalid free in io_uring can lead to local privilege escalation
(CVE-2022-1786)
VUL-0: CVE-2022-1786: kernel: invalid free in io_uring can lead to local priv...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/332049/
CVSSv3.1:SUSE:CVE-2022-1786:7.8:(AV:L...
:
Depends on:
Blocks: 1199700
  Show dependency treegraph
 
Reported: 2022-05-17 07:37 UTC by Carlos López
Modified: 2022-08-01 07:18 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-05-17 07:37:55 UTC
From linux-distros:

Hi there,

I recently found a severe invalid-free bug in io_uring subsystem which
affects the v5.10.y branch of the Linux kernel. It has been demonstrated
that the vulnerability can be exploited to achieve local privilege
escalation.

The root cause of the bug is a misuse of the identity model in io_uring.
When preparing a request, the kernel uses the identity of the current task
instead of that of the request task, which causes type confusion and
invalid-free when the request is being destroyed.

I have contacted security@kernel.org and we prepared a patch. I requested a
7-day embargo. But the patch is still queued and can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.10/io_uring-always-use-original-task-when-preparing-req-identity.patch?id=483736350d203ea0129c3d7c58ed4d12ec1b631b
.

The vulnerability is confirmed to be able to lead to LPE. If your distro is
affected, please apply the patch as soon as possible.

Best,
Kyle Zeng

A kernel crash report:
~~~
[    6.353149]
==================================================================
[    6.353619] BUG: KASAN: double-free or invalid-free in
io_iopoll_complete+0x4e3/0x11a0
[    6.354056]
[    6.354160] CPU: 3 PID: 73 Comm: kworker/3:1 Not tainted 5.10.115+ #3
[    6.354556] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.15.0-1 04/01/2014
[    6.355090] Workqueue: events delayed_fput
[    6.355353] Call Trace:
[    6.355514]  dump_stack+0x7d/0xa3
[    6.355728]  print_address_description.constprop.0+0x1c/0x210
[    6.356074]  ? _raw_spin_lock_irqsave+0x7b/0xd0
[    6.356343]  ? _raw_write_lock_irqsave+0xd0/0xd0
[    6.356618]  ? kasan_save_stack+0x32/0x40
[    6.356860]  ? io_iopoll_complete+0x54e/0x11a0
[    6.357126]  ? io_iopoll_complete+0x4e3/0x11a0
[    6.357396]  kasan_report_invalid_free+0x51/0x80
[    6.357674]  ? io_iopoll_complete+0x4e3/0x11a0
[    6.357933]  __kasan_slab_free+0x141/0x150
[    6.358180]  ? io_iopoll_complete+0x4e3/0x11a0
[    6.358452]  kfree+0x90/0x210
[    6.358640]  io_iopoll_complete+0x4e3/0x11a0
[    6.358907]  ? io_write+0x9d0/0x9d0
[    6.359125]  ? worker_thread+0x559/0x12a0
[    6.359385]  ? io_wq_for_each_worker.isra.0+0x19a/0x270
[    6.359701]  ? io_wqe_worker_send_sig+0x40/0x40
[    6.359971]  io_do_iopoll+0x3d0/0x5e0
[    6.360202]  ? io_iopoll_complete+0x11a0/0x11a0
[    6.360468]  ? _raw_spin_lock_irq+0x76/0xd0
[    6.360713]  io_iopoll_try_reap_events.part.0+0xf7/0x1a0
[    6.361027]  ? io_do_iopoll+0x5e0/0x5e0
[    6.361273]  io_ring_ctx_wait_and_kill+0x1a4/0x580
[    6.361558]  ? io_iopoll_try_reap_events.part.0+0x1a0/0x1a0
[    6.361901]  ? fcntl_setlk+0xc30/0xc30
[    6.362133]  ? __switch_to+0x579/0xf40
[    6.362358]  ? __switch_to_asm+0x42/0x70
[    6.362590]  io_uring_release+0x39/0x50
[    6.362824]  __fput+0x1e4/0x850
[    6.363012]  ? read_word_at_a_time+0xe/0x20
[    6.363275]  delayed_fput+0x49/0x70
[    6.363488]  process_one_work+0x767/0x13f0
[    6.363744]  worker_thread+0x559/0x12a0
[    6.363984]  ? process_one_work+0x13f0/0x13f0
[    6.364255]  kthread+0x315/0x3e0
[    6.364459]  ? kthread_create_worker_on_cpu+0xd0/0xd0
[    6.364769]  ret_from_fork+0x1f/0x30
[    6.364989]
[    6.365088] Allocated by task 428:
[    6.365296]  kasan_save_stack+0x1b/0x40
[    6.365529]  __kasan_kmalloc.constprop.0+0xc2/0xd0
[    6.365816]  io_uring_alloc_task_context+0x3e/0x290
[    6.366116]  io_uring_add_task_file+0x18d/0x200
[    6.366398]  __do_sys_io_uring_enter+0xd64/0x1630
[    6.366687]  do_syscall_64+0x33/0x40
[    6.366916]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[    6.367226]
[    6.367341] The buggy address belongs to the object at ffff888102382800
[    6.367341]  which belongs to the cache kmalloc-192 of size 192
[    6.368101] The buggy address is located 88 bytes inside of
[    6.368101]  192-byte region [ffff888102382800, ffff8881023828c0)
[    6.368802] The buggy address belongs to the page:
[    6.369109] page:00000000f8a39c85 refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x102382
[    6.369671] flags: 0x200000000000200(slab)
[    6.369923] raw: 0200000000000200 ffffea00040a9240 0000000200000002
ffff888100043540
[    6.370384] raw: 0000000000000000 0000000080100010 00000001ffffffff
0000000000000000
[    6.370842] page dumped because: kasan: bad access detected
[    6.371183]
[    6.371284] Memory state around the buggy address:
[    6.371592]  ffff888102382700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[    6.372021]  ffff888102382780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc
fc fc
[    6.372439] >ffff888102382800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00
[    6.372853]                                                     ^
[    6.373204]  ffff888102382880: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
fc fc
[    6.373618]  ffff888102382900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
[    6.374031]
==================================================================
[    6.374444] Disabling lock debugging due to kernel taint
Comment 5 Carlos López 2022-05-17 09:28:14 UTC
The patch mentions that this only affects kernels with non-native workers (no IORING_FEAT_NATIVE_WORKERS), so this can only be relevant for cve/linux-5.3 or older. IORING_SETUP_IOPOLL is not present in cve/linux-4.12 or older, so that only leaves cve/linux-5.3.

I do not see any io_uring patches in queue-5.4, so I'm inclined to say that cve/linux-5.3 would also not be affected. Could you please confirm? The code looks quite different.
Comment 12 Carlos López 2022-05-25 12:55:18 UTC
Public:
https://www.openwall.com/lists/oss-security/2022/05/24/4
Comment 15 Goldwyn Rodrigues 2022-07-29 16:04:43 UTC
This does not affect any of our enterprise releases. I checked cve/linux-5.3 and it does not have any instance where context variable is initiated by current->io_uring rather than the passed request.

As pointed out this bug was introduced in later kernels.
Comment 16 Carlos López 2022-08-01 07:18:50 UTC
Closing, as our kernels are not affected.