[SRU focal/linux-oem-5.6 0/1] io_uring async sendmsg copy to kernel address 0
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Fri May 14 12:14:37 UTC 2021
[Impact]
When using async io_uring OP_SENDMSG, a copy to kernel address 0 might be
attempted, leading to a kernel WARN/BUG and an uninterruptible process.
[Fix]
Partial backport of dd821e0c95a64b5923a0c57f07d3f7563553e756 ("io_uring: fix
missing msg_name assignment"). The recvmsg side does not seed to set msg_name,
as it copies from a local/stack kernel address (at ____sys_recvmsg) to a uaddr
parameter, which is given when doing the copy_msghdr operation.
[Test case]
LTP io_uring02 was run, and an equivalent recvmsg test was done too. A
successfull sendmsg test (without the chroot at io_uring02 test) was also
tested.
[Potential regressions]
io_uring sendmsg/recvmsg paths could fail, potentially leading to a system
crash or even a security vulnerability.
Pavel Begunkov (1):
io_uring: fix missing msg_name assignment
fs/io_uring.c | 1 +
1 file changed, 1 insertion(+)
--
2.30.2
More information about the kernel-team
mailing list