Message ID | 20230704235149.731733-1-cascardo@canonical.com |
---|---|
Headers | show |
Series | CVE-2023-3389 | expand |
On 7/4/23 5:51 PM, Thadeu Lima de Souza Cascardo wrote: > [Impact] > A race with a linked timeout io_uring OP and poll removal may lead to a > use-after-free. An unprivileged user can use this to cause a denial of > service (system crash) or code execution. > > [Backport] > 5.15 had a backport of its own upstream, which was used for both Jammy and > Kinetic. The original upstream fix applieds to Lunar, OEM-6.1 and OEM-6.0. > > [Potential regression] > Poll removal on io-uring can regress. > > Jens Axboe (1): > io_uring: hold uring mutex around poll removal > > io_uring/io_uring.c | 3 +++ > 1 file changed, 3 insertions(+) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
Thadeu Lima de Souza Cascardo kirjoitti 5.7.2023 klo 2.51: > [Impact] > A race with a linked timeout io_uring OP and poll removal may lead to a > use-after-free. An unprivileged user can use this to cause a denial of > service (system crash) or code execution. > > [Backport] > 5.15 had a backport of its own upstream, which was used for both Jammy and > Kinetic. The original upstream fix applieds to Lunar, OEM-6.1 and OEM-6.0. > > [Potential regression] > Poll removal on io-uring can regress. > > Jens Axboe (1): > io_uring: hold uring mutex around poll removal > > io_uring/io_uring.c | 3 +++ > 1 file changed, 3 insertions(+) > applied to oem-6.0/6.1, thanks
Acked-by: Luke Nowakowski-Krijger <luke.nowakowskikrijger@canonical.com> On Tue, Jul 4, 2023 at 4:53 PM Thadeu Lima de Souza Cascardo < cascardo@canonical.com> wrote: > [Impact] > A race with a linked timeout io_uring OP and poll removal may lead to a > use-after-free. An unprivileged user can use this to cause a denial of > service (system crash) or code execution. > > [Backport] > 5.15 had a backport of its own upstream, which was used for both Jammy and > Kinetic. The original upstream fix applieds to Lunar, OEM-6.1 and OEM-6.0. > > [Potential regression] > Poll removal on io-uring can regress. > > Jens Axboe (1): > io_uring: hold uring mutex around poll removal > > io_uring/io_uring.c | 3 +++ > 1 file changed, 3 insertions(+) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
On 05.07.23 01:51, Thadeu Lima de Souza Cascardo wrote: > [Impact] > A race with a linked timeout io_uring OP and poll removal may lead to a > use-after-free. An unprivileged user can use this to cause a denial of > service (system crash) or code execution. > > [Backport] > 5.15 had a backport of its own upstream, which was used for both Jammy and > Kinetic. The original upstream fix applieds to Lunar, OEM-6.1 and OEM-6.0. > > [Potential regression] > Poll removal on io-uring can regress. > > Jens Axboe (1): > io_uring: hold uring mutex around poll removal > > io_uring/io_uring.c | 3 +++ > 1 file changed, 3 insertions(+) > Applied to lunar,jammy:linux/master-next and jammy:linux-hwe-5.19/hwe-5.19-next (since Kinetic goes EOL). Thanks. -Stefan