io_uring Vulnerability Resulting in Freeing Wrong Kernel Buffer
Original Post:
We discussed this vulnerability during Episode 86 on 28 September 2021
An interesting primitive in io_uring
resulting in the ability to free adjacent kernel buffers.
For files that do not provide the read_iter
operation io_uring will fall back to use loop_rw_iter
to manually perform iterative read/writes. In doing so as it reads it will increment the requests addr
field by the size of the read. Normally, this will be a userland pointer however by calling IORING_OP_PROVIDE_BUFFERS
beforehand a kernel buffer can be used, which is later free’d once the operation completes. As the addr
field is no longer where it started it is possible to free adjacent kernel buffers.