ACK: [SRU Focal/Jammy] CVE-2022-3176

Stefan Bader stefan.bader at canonical.com
Tue Sep 20 07:46:54 UTC 2022 

On 19.09.22 19:57, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll()
> and binder_poll() use a waitqueue whose lifetime is the current task. It will
> send a POLLFREE notification to all waiters before the queue is freed.
> Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a
> use-after-free to occur if a signalfd or binder fd is polled with io_uring
> poll, and the waitqueue gets freed.
> 
> [Backport]
> Backports for Jammy include lots of changes to io_uring poll mechanism that
> were already ported to the stable 5.15.y series. All backports come from
> that series.
> 
> Focal backport is a single commit that was ported to stable 5.4.y series.
> 
> [Testing]
> liburing/test/ tests have been run against these kernels. On 5.4, many
> pre-existing failures were found. On 5.15, very few failures were found
> and did not regress. Given the small change on 5.4 and there are many
> failures there, I gave more attention to the 5.15 results, which did
> not regress.
> 
> 
> ----------------------
> 
> Jens Axboe (2):
>    io_uring: remove poll entry from list when canceling all
>    io_uring: bump poll refs to full 31-bits
> 
> Pavel Begunkov (10):
>    io_uring: refactor poll update
>    io_uring: move common poll bits
>    io_uring: kill poll linking optimisation
>    io_uring: inline io_poll_complete
>    io_uring: correct fill events helpers types
>    io_uring: clean cqe filling functions
>    io_uring: poll rework
>    io_uring: fail links when poll fails
>    io_uring: fix wrong arm_poll error handling
>    io_uring: fix UAF due to missing POLLFREE handling
> 
>   fs/io_uring.c | 740 +++++++++++++++++++++++---------------------------
>   1 file changed, 347 insertions(+), 393 deletions(-)
> 

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220920/4e929bc3/attachment.sig>

More information about the kernel-team mailing list