Security Vulnerability in the io_uring Subsystem Enables Unauthorized Root Access

In the io_uring asynchronous I/O interface provided by the Linux kernel, identified vulnerability (CVE-2024-0582), allowing an unprivileged user to gain root privileges on the system. To exploit the vulnerability, normal local access to the system is sufficient, without the need to manipulate namespaces. Currently publicly available working exploitand described in detail The second technique is to exploit the vulnerability.

The vulnerability is caused by access to an already freed memory block (use-after-free) in the io_uring subsystem, which occurs when registering and freeing a ring buffer created with the IORING_REGISTER_PBUF_RING flag. When the mmap() operation is applied to a buffer, it remains reflected into user space after the release operation is performed (IORING_UNREGISTER_PBUF_RING). Using this feature, an attacker can read and write data to memory pages returned to the kernel memory allocation system.


The problem has been appearing since the release of the Linux kernel 6.4 and eliminated in releases 6.7 and 6.6.5, as well as in the kernel package 6.5.0-21, prepared for Ubuntu 22.04 and 23.10. It is noteworthy that in the main kernel the problem was fixed in December 2023, the Google Zero project opened access to a signal indicating the presence of a vulnerability message about the bug on January 8, and the package with the corrected 6.5 kernel for Ubuntu was formed only February 22, 2024. In other distributions, you can track the fix and exposure to the vulnerability on the following pages: Debian, Gentoo, RHEL, SUSE, Fedora, Arch.

First exploit manipulates creating a large number of attacker-controlled memory pages to determine the memory layout in the kernel and access neighboring physical memory pages, using the contents of specially filled network socket structures as beacons. To run the code, the exploit uses a “gadget” (a sequence of instructions existing in the kernel) that leads to the execution of the function
call_usermodehelper_execdesigned to run processes in user space from the kernel.

Second exploit is based based on the fact that when all slab blocks in the cache are exhausted (for example, when a file is opened many times), free memory pages to which the attacker still has access are used by the memory allocation system to create a new slab block and all new file structures begin to be located in this block. Accordingly, some file structures will end up in memory pages that can be read and written by an attacker. Operation in this case comes down to organizing the entry of the desired file into the file cache and replacing the f_mode field in the associated file structures, which determines access rights, which allows you to make the desired system file, for example, /etc/passwd, writable.

Thanks for reading: