CVE-2022-2602 - Understanding the io_uring Use-After-Free Vulnerability and its Exploitation in the Unix SCM Garbage Collection System

The engineering community is always on its toes to address and fix critical security vulnerabilities that present potential risks to the integrity and security of various software systems. One such recent vulnerability is CVE-2022-2602, which exposes a Use-After-Free (UAF) issue in Linux's io_uring library, specifically impacting the Unix Socket Credentials (SCM) garbage collection processes. In this in-depth article, we will discuss the details of this exploit, dissect the code snippets involved, and provide links to the original references for further learning.

Background

The io_uring library is a Linux kernel interface that provides asynchronous I/O support, specifically designed to be fast and efficient. However, while pushing the envelope of performance, it has inadvertently introduced a vulnerability that could be exploited by malicious actors to compromise the system. The vulnerability essentially occurs when io_uring mishandles memory deallocation, leading to a UAF exploit scenario.

To understand the implications of this vulnerability, let's break down the components involved in the exploit.

Use-After-Free (UAF)

Use-After-Free is a type of memory-corruption vulnerability that can lead to a variety of exploitable scenarios, such as arbitrary code execution, privilege escalation, and even crashing the software. This occurs when an application frees a block of memory but continues to use it without allocating new memory, resulting in a situation where that "freed" memory can be manipulated to execute arbitrary instructions.

Unix SCM (Socket Credentials)

Unix Socket Credentials (SCM) are a mechanism used to exchange ancillary (non-data) messages between processes communicating over Unix domain sockets. One such use case is the passing of file descriptors between processes. Garbage collection, in this context, refers to the system's ability to automatically manage the cleanup of resources, such as file descriptors, when they are no longer needed.

Exploit Details

The crux of the vulnerability in CVE-2022-2602 lies in how io_uring handles the cleanup of SCM file descriptors associated with asynchronous I/O operations. This can be best understood by examining the code snippet where the vulnerability is introduced:

/* io_uring.c */

static int io_async_link(struct io_kiocb *req, struct iovec *iov, unsigned int nr_segs)
{
    struct io_kiocb *link = req->work.link;
    int ret;

    req->flags |= REQ_F_LINK_TIMEOUT;
    if (link) {
        req->work.link = NULL;
        return ;
    }

    if (!req->work.files) {
        ret = io_grab_files(&req->work);
        if (ret)
            return ret;
    }

    req->work.link = link;
}

In this code snippet, the io_async_link function sets up a link between req and link work structures. The problem arises when the function returns early due to an error condition. This can result in the link work structure still holding onto a previously freed file descriptor. Consequently, this can lead to a UAF scenario when the kernel attempts to access that file descriptor later in the process.

Mitigation and Fixes

The solution to this vulnerability is to properly unlink the work structures and clean up any resources they hold when returning early due to an error. This ensures that no dangling pointers or stale file descriptors exist in the program's memory.

The following is an example of a corrected version of the io_async_link function

/* io_uring.c */
static int io_async_link_fixed(struct io_kiocb *req, struct iovec *iov, unsigned int nr_segs)
{
    struct io_kiocb *link = req->work.link;
    int ret;

    req->flags |= REQ_F_LINK_TIMEOUT;
    if (link) {
        req->work.link = NULL;
        return ;
    }

    if (!req->work.files) {
        ret = io_grab_files(&req->work);
        if (ret) {
            req->work.link = NULL;
            return ret;
        }
    }

    req->work.link = link;
}

In this fixed version, the critical change is the inclusion of req->work.link = NULL before returning when encountering an error. This effectively eliminates the UAF vulnerability by ensuring proper cleanup.

The original discovery and documentation of the vulnerability can be found at the following URLs

1. io_uring GitHub: The official GitHub repository for the io_uring project, where the library's source code, issue reports, and bug fixes can be found.
2. CVE-2022-2602 Details: The official CVE entry for this vulnerability, containing a brief summary, affected versions, and references to patches.
3. io_uring mailing list: The mailing list for the io_uring developer community, where discussions about the library, bug reports, and patches are shared.

Conclusion

CVE-2022-2602 is an important reminder of the potential risks associated with optimizing software for performance, where memory management and garbage collection can sometimes be overlooked. By understanding the root cause of this UAF vulnerability and taking the necessary steps to address it, the io_uring library and the Unix SCM garbage collection system will be more robust and secure, ensuring the integrity and safety of the systems they support.

Timeline

Published on: 01/08/2024 18:15:00 UTC
Last modified on: 01/08/2024 19:05:00 UTC