Description
The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") (v5.7-rc1).
Related CPE's
o
linux
linux_kernel
o
canonical
ubuntu_linux
References
https://security.netapp.com/advisory/ntap-20210716-0004/
https://ubuntu.com/security/notices/USN-4949-1
https://ubuntu.com/security/notices/USN-4950-1
https://www.openwall.com/lists/oss-security/2021/05/11/13
https://www.zerodayinitiative.com/advisories/ZDI-21-589/
CVSS impact metrics
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 · High
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Analyzed
Published
2021-06-04T02:15:07.253
4 years agoLast modified
2021-09-14T14:31:37.070
3 years ago