[SRU,Jammy,Kinetic,Lunar,OEM-6.0,OEM-6.1,0/1] CVE-2023-3389

Message ID	20230704235149.731733-1-cascardo@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU Jammy,Kinetic,Lunar,OEM-6.0,OEM-6.1 0/1] CVE-2023-3389 Date: Tue, 4 Jul 2023 20:51:46 -0300 Message-Id: <20230704235149.731733-1-cascardo@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2023-3389 \| expand [SRU,Jammy,Kinetic,Lunar,OEM-6.0,OEM-6.1,0/1] CVE-2023-3389 [SRU,Kinetic,1/1] io_uring: hold uring mutex around poll removal

Message ID

20230704235149.731733-1-cascardo@canonical.com

Headers

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU Jammy,Kinetic,Lunar,OEM-6.0,OEM-6.1 0/1] CVE-2023-3389
Date: Tue,  4 Jul 2023 20:51:46 -0300
Message-Id: <20230704235149.731733-1-cascardo@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2023-3389 | expand

Message

Thadeu Lima de Souza Cascardo July 4, 2023, 11:51 p.m. UTC

[Impact]
A race with a linked timeout io_uring OP and poll removal may lead to a
use-after-free. An unprivileged user can use this to cause a denial of
service (system crash) or code execution.

[Backport]
5.15 had a backport of its own upstream, which was used for both Jammy and
Kinetic. The original upstream fix applieds to Lunar, OEM-6.1 and OEM-6.0.

[Potential regression]
Poll removal on io-uring can regress.

Jens Axboe (1):
  io_uring: hold uring mutex around poll removal

 io_uring/io_uring.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Tim Gardner July 5, 2023, 5:48 p.m. UTC | #1

On 7/4/23 5:51 PM, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> A race with a linked timeout io_uring OP and poll removal may lead to a
> use-after-free. An unprivileged user can use this to cause a denial of
> service (system crash) or code execution.
> 
> [Backport]
> 5.15 had a backport of its own upstream, which was used for both Jammy and
> Kinetic. The original upstream fix applieds to Lunar, OEM-6.1 and OEM-6.0.
> 
> [Potential regression]
> Poll removal on io-uring can regress.
> 
> Jens Axboe (1):
>    io_uring: hold uring mutex around poll removal
> 
>   io_uring/io_uring.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
Acked-by: Tim Gardner <tim.gardner@canonical.com>

Timo Aaltonen July 6, 2023, 8:31 a.m. UTC | #2

Thadeu Lima de Souza Cascardo kirjoitti 5.7.2023 klo 2.51:
> [Impact]
> A race with a linked timeout io_uring OP and poll removal may lead to a
> use-after-free. An unprivileged user can use this to cause a denial of
> service (system crash) or code execution.
> 
> [Backport]
> 5.15 had a backport of its own upstream, which was used for both Jammy and
> Kinetic. The original upstream fix applieds to Lunar, OEM-6.1 and OEM-6.0.
> 
> [Potential regression]
> Poll removal on io-uring can regress.
> 
> Jens Axboe (1):
>    io_uring: hold uring mutex around poll removal
> 
>   io_uring/io_uring.c | 3 +++
>   1 file changed, 3 insertions(+)
> 

applied to oem-6.0/6.1, thanks

Luke Nowakowski-Krijger July 6, 2023, 9:22 p.m. UTC | #3

Acked-by: Luke Nowakowski-Krijger <luke.nowakowskikrijger@canonical.com>

On Tue, Jul 4, 2023 at 4:53 PM Thadeu Lima de Souza Cascardo <
cascardo@canonical.com> wrote:

> [Impact]
> A race with a linked timeout io_uring OP and poll removal may lead to a
> use-after-free. An unprivileged user can use this to cause a denial of
> service (system crash) or code execution.
>
> [Backport]
> 5.15 had a backport of its own upstream, which was used for both Jammy and
> Kinetic. The original upstream fix applieds to Lunar, OEM-6.1 and OEM-6.0.
>
> [Potential regression]
> Poll removal on io-uring can regress.
>
> Jens Axboe (1):
>   io_uring: hold uring mutex around poll removal
>
>  io_uring/io_uring.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> --
> 2.34.1
>
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>

Stefan Bader July 7, 2023, 9:44 a.m. UTC | #4

On 05.07.23 01:51, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> A race with a linked timeout io_uring OP and poll removal may lead to a
> use-after-free. An unprivileged user can use this to cause a denial of
> service (system crash) or code execution.
> 
> [Backport]
> 5.15 had a backport of its own upstream, which was used for both Jammy and
> Kinetic. The original upstream fix applieds to Lunar, OEM-6.1 and OEM-6.0.
> 
> [Potential regression]
> Poll removal on io-uring can regress.
> 
> Jens Axboe (1):
>    io_uring: hold uring mutex around poll removal
> 
>   io_uring/io_uring.c | 3 +++
>   1 file changed, 3 insertions(+)
> 

Applied to lunar,jammy:linux/master-next and 
jammy:linux-hwe-5.19/hwe-5.19-next (since Kinetic goes EOL). Thanks.

-Stefan