[SRU Jammy,Kinetic,Lunar,OEM-6.0,OEM-6.1 0/1] CVE-2023-3389

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Tue Jul 4 23:51:46 UTC 2023

A race with a linked timeout io_uring OP and poll removal may lead to a
use-after-free. An unprivileged user can use this to cause a denial of
service (system crash) or code execution.

5.15 had a backport of its own upstream, which was used for both Jammy and
Kinetic. The original upstream fix applieds to Lunar, OEM-6.1 and OEM-6.0.

[Potential regression]
Poll removal on io-uring can regress.

Jens Axboe (1):
  io_uring: hold uring mutex around poll removal

 io_uring/io_uring.c | 3 +++
 1 file changed, 3 insertions(+)


More information about the kernel-team mailing list