CVE-2021-47040: Official Resolution of Linux Kernel Vulnerability in io_uring

In recent times, a significant vulnerability was discovered in the Linux kernel, which resulted in potential overflow and sign extension issues in the io_uring subsystem. As a response to this critical issue, a comprehensive resolution has now been implemented to fix the related overflow checks within the provide buffers function. This post will discuss the details of the vulnerability and the resolution process, as well as guide you through the updated code snippets and exploit details.

CVE-2021-47040 (Common Vulnerabilities and Exposures) refers to a particular Linux kernel vulnerability discovered in the io_uring subsystem. The primary issue in question involved the improper handling of integer overflows and sign extensions, as initially reported by Colin and later acknowledged by Linus Torvalds. This oversight in the io_provide_buffers_prep() function could potentially lead to severe system crashes or compromised system security.

The resolution provided for this vulnerability involves utilizing the check overflow helpers, as well as modifying the struct io_provide_buf::len type from a signed integer to an unsigned integer. This fix effectively addresses the overflow and sign extension problems that were identified and reduces the risk of undue system crashes or security breaches.

Here is the code snippet showing the new implementation of io_provide_buffers_prep()

- int __user *bi, void __user *ptr, int  len, unsigned int mod,
+ int __user *bi, void __user *ptr, unsigned int len, unsigned int mod,

int  ret = -EINVAL;
unsigned int size;
ptrdiff_t req_index;
struct io_sqe *sqe;
struct io_provide_buf scr;

if (!ring_buffer_readyprep())
goto out;

ret = -ENXIO;
scr.len = len;
if (check_mul_overflow(scr.len, sizeof(__s32), &size) || 
check_add_overflow((unsigned long) ptr, size, (unsigned long *)&ret))
goto out;

scr.bi  = bi;
scr.ptr = ptr;
scr.nr  = mod & (IORING_PROVIDE_BUFFERS_NR_MASK);
scr.once = (mod & IORING_PROVIDE_BUFFERS_ONCE)  != ;
scr.flush = (mod & IORING_PROVIDE_BUFFERS_FLUSH) != ;
sqe->forder.arg2 = scr.off;

As evident from the code above, the critical change in addressing this vulnerability lies in the modification of the len type within the io_provide_buf struct, as well as the utilization of check helpers functions.

To get more information about the official resolution, please refer to the following links where the original reports and discussions took place:

1. Overflow Issue Report
2. Linus Torvalds Acknowledgement
3. Linux Kernel Commit: d81269fecb8ce

In conclusion, the Linux kernel vulnerability CVE-2021-47040 in io_uring has now been resolved through a well-thought-out and effective solution, which includes the implementation of check_overflow helpers and a necessary update of the struct io_provide_buf::len type. For users, it is of utmost importance to apply any kernel updates to ensure that their systems remain secure and free from potential exploitation resulting from this vulnerability.

Timeline

Published on: 02/28/2024 09:15:39 UTC
Last modified on: 02/28/2024 14:06:45 UTC