Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ZA+CMlU2Acu8NBhA@quatroqueijos.cascardo.eti.br>
Date: Mon, 13 Mar 2023 17:06:10 -0300
From: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-1032 - Linux kernel io_uring IORING_OP_SOCKET double free

A double-free vulnerability was found in the handling of IORING_OP_SOCKET
operation with io_uring on the Linux kernel.

It was fixed by commit:

649c15c7691e9b13cbe9bf6c65c365350e056067 ("net: avoid double iput when sock_alloc_file fails")

It has been assigned CVE-2023-1032.

It affects kernel versions starting with 5.19-rc1 and should affect any
backports including commits da214a475f8bd1d3e9e7a19ddfeb4d1617551bab ("net: add
__sys_socket_file()") and 1374e08e2d44863c931910797852589803997668 ("io_uring:
add socket(2) support").

It requires a memory allocation failure to happen, which will be followed by a
double free of a recently allocated object.

Causing the memory allocation failure does not require much more than being in
a memory cgroup with a maximum allocation setup (systemd MemoryMax, for
example).

The double free happens with iput, which sets up a flag, and leads to a BUG_ON.
So, at least, a system crash is possible.

Cascardo.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.