[SRU Focal/Jammy] CVE-2022-3176
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Mon Sep 19 17:57:57 UTC 2022
[Impact]
There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll()
and binder_poll() use a waitqueue whose lifetime is the current task. It will
send a POLLFREE notification to all waiters before the queue is freed.
Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a
use-after-free to occur if a signalfd or binder fd is polled with io_uring
poll, and the waitqueue gets freed.
[Backport]
Backports for Jammy include lots of changes to io_uring poll mechanism that
were already ported to the stable 5.15.y series. All backports come from
that series.
Focal backport is a single commit that was ported to stable 5.4.y series.
[Testing]
liburing/test/ tests have been run against these kernels. On 5.4, many
pre-existing failures were found. On 5.15, very few failures were found
and did not regress. Given the small change on 5.4 and there are many
failures there, I gave more attention to the 5.15 results, which did
not regress.
----------------------
Jens Axboe (2):
io_uring: remove poll entry from list when canceling all
io_uring: bump poll refs to full 31-bits
Pavel Begunkov (10):
io_uring: refactor poll update
io_uring: move common poll bits
io_uring: kill poll linking optimisation
io_uring: inline io_poll_complete
io_uring: correct fill events helpers types
io_uring: clean cqe filling functions
io_uring: poll rework
io_uring: fail links when poll fails
io_uring: fix wrong arm_poll error handling
io_uring: fix UAF due to missing POLLFREE handling
fs/io_uring.c | 740 +++++++++++++++++++++++---------------------------
1 file changed, 347 insertions(+), 393 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list