io_uring: fix UAF in get_files_struct()
hulk inclusion category: bugfix bugzilla: 186337, https://gitee.com/openeuler/kernel/issues/I4XA09 CVE: NA -------------------------------- If two tasks are running concurrently as follows: task1 | task2 io_uring_enter | io_wqe_worker io_submit_sqes | io_submit_sqe | io_queue_sqe | io_req_defer | io_req_defer_prep | io_prep_work_files | io_grab_files | req->work.files = current->files | io_queue_async_work | __io_queue_async_work | io_wq_enqueue | io_wqe_insert_work | | io_worker_handle_work | io_impersonate_work | current->files = work->files And then, one of the concurrency UAF can be shown as below: free use (task3 ls -l /proc/io_wqe_worker id/fd ) do_exit // tsk = current = work->files | exit_files | put_files_struct | tsk->files // tsk->files = work->files | | iterate_dir | proc_readfd_common | p = get_proc_task(file_inode(file)) | get_files_struct | files = task->files | atomic_inc(&files->count) The root cause of UAF bugs is when get req->work.files doesn't add refcount. The mainline commit 0f212204(io_uring: don't rely on weak ->files references) fixes this problem, based on this commit to resolved the problme. Signed-off-by:Luo Meng <luomeng12@huawei.com> Reviewed-by:
Loading
Please sign in to comment