About CVE-2022-29582 (asynchronous I/O interface provided by Linux kernelbefore 5.17.3)

Preface: On 29th March, 2022 Linus Torvalds announced the release and general availability of Linux 5.17 as the latest and greatest kernel series for Linux-based operating systems adding new features and improving hardware support.

Background: As HPC workflows become more complex, data management services need to perform asynchronous I/O operations in the background. In addition, task parallelism and application performance asynchronous I/O strategies will be involved in large-scale deep learning applications.
I/O tasks and the runtime support to enable overlapping the execution of I/O tasks and compute task. This will increase the task parallelism and the application performance.
Asynchronous I/O is becoming more and more popular with the massive data access required for scientific applications.

Vulnerability details (official announcement): In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race condition perhaps can only be exploited infrequently.

Security focus in design flaws (use after free): Refer to step 6 of the attached diagram. What happens next is shown in below:
io_uring_enter() is used to initiate and complete I/O using the shared submission and completion queues setup by a call to io_uring_setup(2). A single call can both submit new I/O and wait for completions of I/O initiated by this call or previous calls to io_uring_enter().
fd is the file descriptor returned by io_uring_setup(2). to_submit specifies the number of I/Os to submit from the submission queue.

When the IORING_OP_TIMEOUT (T) and IORING_OP_LINK_TIMEOUT (LT) opcodes are combined in a linked submission queue entry, and another request (B) finishes, a race might occur: namely, when due to the completion of B, T is cancelled (through the completion event count), and LT is canceled by its hrtimer at the same time. Whilst T is still being cleaned up, LT is already freed by a different execution context, and since they are linked, the > cleanup of T retains a dangling reference to the now-freed LT. Hence, there’s a use-after-free.

Remedy: io_uring: fix race between timeout flush and removal. Please refer to the link for details – https://github.com/torvalds/linux/commit/e677edbcabee849bfdd43f1602bccbecf736a646

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.