ACK: [SRU Focal/Jammy] CVE-2022-3176
Stefan Bader
stefan.bader at canonical.com
Tue Sep 20 07:46:54 UTC 2022
On 19.09.22 19:57, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll()
> and binder_poll() use a waitqueue whose lifetime is the current task. It will
> send a POLLFREE notification to all waiters before the queue is freed.
> Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a
> use-after-free to occur if a signalfd or binder fd is polled with io_uring
> poll, and the waitqueue gets freed.
>
> [Backport]
> Backports for Jammy include lots of changes to io_uring poll mechanism that
> were already ported to the stable 5.15.y series. All backports come from
> that series.
>
> Focal backport is a single commit that was ported to stable 5.4.y series.
>
> [Testing]
> liburing/test/ tests have been run against these kernels. On 5.4, many
> pre-existing failures were found. On 5.15, very few failures were found
> and did not regress. Given the small change on 5.4 and there are many
> failures there, I gave more attention to the 5.15 results, which did
> not regress.
>
>
> ----------------------
>
> Jens Axboe (2):
> io_uring: remove poll entry from list when canceling all
> io_uring: bump poll refs to full 31-bits
>
> Pavel Begunkov (10):
> io_uring: refactor poll update
> io_uring: move common poll bits
> io_uring: kill poll linking optimisation
> io_uring: inline io_poll_complete
> io_uring: correct fill events helpers types
> io_uring: clean cqe filling functions
> io_uring: poll rework
> io_uring: fail links when poll fails
> io_uring: fix wrong arm_poll error handling
> io_uring: fix UAF due to missing POLLFREE handling
>
> fs/io_uring.c | 740 +++++++++++++++++++++++---------------------------
> 1 file changed, 347 insertions(+), 393 deletions(-)
>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220920/4e929bc3/attachment.sig>
More information about the kernel-team
mailing list