In 2022, security researchers uncovered a critical bug in the Linux kernel’s io_uring subsystem, now known as CVE-2022-1116. This serious flaw, an Integer Overflow or Wraparound, lets local attackers trigger memory corruption and even gain root privileges on affected systems. Below, we’ll break down how this vulnerability works, the code involved, and what you can do to stay protected.
What is io_uring Anyway?
io_uring is a new interface added to the Linux kernel to handle efficient asynchronous I/O operations. It’s popular because it boosts the performance of disk and file operations, especially for high-load servers and advanced applications.
Integer Overflow, the Villain
In some situations, if you add two large numbers, the result wraps around back to a smaller number. Imagine if you have an 8-bit integer (unsigned char), and you add 200 + 100; you’d expect 300, but you actually get 44, losing the extra 256 due to overflow. This is called integer overflow.
Where the Overflow Happened
In certain versions of the Linux kernel’s io_uring code, the bug occurs when the kernel allocates large memory buffers for incoming I/O operations. The code forgets to properly check for situations where the size calculation can wrap around due to overflow, resulting in smaller-than-expected buffers being allocated. Attackers can exploit this to write more data than the buffer can hold, corrupting memory.
Linux kernel 5.4.24 and later versions
- All distributions using these kernels are affected, such as Ubuntu, Red Hat, Debian, SUSE, and others.
Here’s a simplified version of how the flawed memory allocation happened
// This is a simplified version for illustration only, not actual kernel code
unsigned int max_requests = user_input;
unsigned int ring_entries = max_requests + extra_space; // PROBLEM: possible overflow!
void *ring = kmalloc(ring_entries * sizeof(struct io_uring_sqe), GFP_KERNEL);
With the right user_input, max_requests + extra_space can wrap around to a much smaller number, and kmalloc will allocate a buffer too small for the actual needs.
A local attacker would manipulate max_requests to trigger the overflow
#define LARGE_NUM xFFFFFFF
#define IOURING_OP /* whatever syscall triggers io_uring setup */
int main() {
// Set up io_uring with very large number requests to cause overflow
struct io_uring_params p;
memset(&p, , sizeof(p));
int fd = syscall(__NR_io_uring_setup, LARGE_NUM, &p);
if (fd < ) {
perror("io_uring_setup failed");
return 1;
}
// Now try to overflow operations and corrupt kernel memory!
}
With careful manipulation, the attacker may end up writing outside the buffer, tampering with adjacent kernel memory structures.
Exploitation: From Corruption to Root
Memory corruption is the attacker’s entry point. By overwriting kernel structures near the corrupted buffer, an attacker may redirect execution flow or modify privileged data. Chaining this with well-known *heap spraying* or *ROP* techniques can yield a reliable root shell.
Set up an io_uring with an oversized request count to trigger the overflow.
2. Issue crafted I/O operations that intentionally write past the buffer.
Use this corruption to elevate privileges or execute arbitrary code in the kernel (root).
Check this demonstration for how one might escalate from an info leak/corruption to root:
- Dirty Pipe Exploit (CVE-2022-0847) for background on similar Linux kernel abuse
Original References
- CVE-2022-1116 on NVD (National Vulnerability Database)
- Red Hat Security advisory
- Kernel Patch
- io_uring documentation
How to Stay Safe
- Update Your Kernel. If you’re below 5.4.189 or using a later version listed as vulnerable, patch immediately.
Conclusion
CVE-2022-1116 shows how a simple arithmetic oversight can endanger entire systems. Integer overflows are a classic bug, but with powerful kernel features like io_uring, their impact can be devastating. Patch early, and always check user input inside kernel code!
Stay safe, happy hacking—responsibly.
For more kernel exploit deep-dives and defensive tips, follow security mailing lists and keep your systems up-to-date.
Timeline
Published on: 05/17/2022 17:15:00 UTC
Last modified on: 06/29/2022 19:15:00 UTC