io_uring Vulnerability Resulting in Freeing Wrong Kernel Buffer

We discussed this vulnerability during Episode 86 on 28 September 2021

An interesting primitive in io_uring resulting in the ability to free adjacent kernel buffers.

For files that do not provide the read_iter operation io_uring will fall back to use loop_rw_iter to manually perform iterative read/writes. In doing so as it reads it will increment the requests addr field by the size of the read. Normally, this will be a userland pointer however by calling IORING_OP_PROVIDE_BUFFERS beforehand a kernel buffer can be used, which is later free’d once the operation completes. As the addr field is no longer where it started it is possible to free adjacent kernel buffers.