[Kernel-packages] [Bug 1989435] Re: race condition in io_uring lead to Local Privilege Escalation

Tue, 23 Jan 2024 09:59:34 -0800 

Thanks, neoni. We appreciate the report. Sorry it took this long to get
a response.

Those fixes are already applied in our 5.15 kernels and we don't support
5.19 and 6.0 anymore. Since these have been fixed in 6.1 and later
kernels and 5.4 do not carry those features, we consider this issue
fixed in all the supported kernels we currently ship.

Thanks again.
Cascardo.

** Information type changed from Private Security to Public Security

** Changed in: linux-hwe (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-hwe in Ubuntu.
https://bugs.launchpad.net/bugs/1989435

Title:
  race condition in io_uring lead to Local Privilege Escalation

Status in linux-hwe package in Ubuntu:
  Fix Released

Bug description:
  Hello. I'm neoni. I would like to report a vulnerability that lead to
  Use After Free.

  An unprivileged attacker may use this vulnerability to root to achieve
  local privilege escalation.

  Here is the detail:
  When io_uring does io_sqe_buffers_unregister/io_sqe_files_unregister 
operation, it will unlock ctx->uring_lock in io_rsrc_ref_quiesce process and 
later release files/buffers. So an attacker could submit a file/buffer 
read/write related operation by racing io_rsrc_ref_quiesce process. When 
files/buffers are released and ctx starts to deal with new sqe, an 
Use-After-Free will be triggered.

  The vulnerability was already patched as a bug in Linux mainstream
  5.19 and
  
6.0(https://github.com/torvalds/linux/commit/d11d31fc5d8a96f707facee0babdcffaafa38de2)(https://github.com/torvalds/linux/commit/b0380bf6dad4601d92025841e2b7a135d566c6e3).

  
  a PoC crashes kernel is attached. It affects most recent ubuntu kernel images 
as well as some hwe/oem kernel like hwe-5.17.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-hwe/+bug/1989435/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to