CVE-2021-3491 - Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2021-3491 - Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Thadeu Lima de Souza Cascardo &lt;cascardo () canonical com&gt;

Date: Tue, 11 May 2021 15:13:46 -0300

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
It was discovered that io_uring PROVIDE_BUFFERS operation allowed the
MAX_RW_COUNT limit to be bypassed, which led to negative values being used
in mem_rw when reading /proc/&lt;PID&gt;/mem.

Billy Jheng Bing-Jhong (@st424204) of STAR Labs working with Trend Micro's
Zero Day Initiative discovered that this vulnerability could be turned into
a heap overflow. This has been reported as ZDI-CAN-13546, and assigned
CVE-2021-3491.

IORING_OP_PROVIDE_BUFFERS was introduced in commit ddf0322db79c ("io_uring:
add IORING_OP_PROVIDE_BUFFERS") where lengths larger than MAX_RW_COUNT
could be used and accepted. This commit was introduced in 5.7-rc1. It was
not backported to any upstream LTS kernels.

This has been fixed by commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d1f82808877bb10d3deee7cf3374a4eb3fb582db

Cascardo.

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

CVE-2021-3491 - Linux kernel io_uring PROVIDE_BUFFERS MAX_RW_COUNT bypass Thadeu Lima de Souza Cascardo (May 11)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->