Due to the lack of reliable exploitation data, a high risk rating is given. In the case of a local user with the ability to create/destroy arbitrary iovec devices, it is likely that only user data will be corrupted, though system data may also be at risk.
In the case of a remote user, the race condition will likely only be exploited if a denial of service attack is possible. An attacker can do something like send a large number of requests to a service that utilizes iovec objects, causing the iovec objects to be allocated and then freed repeatedly. Due to the lack of any user-level information, it is likely that this race condition only occurs under unusual and unlikely circumstances, making it unlikely to be exploited remotely.
In the case of a local user, the iovec objects are created on the stack, making it likely that user-level information will be corrupted by this use-after-free.
CVE-2023-29583
In the case of a local user, this use-after-free will corrupt user data and make it difficult for an attacker to exploit this vulnerability. In the case of a remote user, if a denial of service attack is possible, this race condition will likely only occur if a large number of requests are made in a short period of time. The race condition occurs on the stack, making it unlikely to be exploited remotely.
References:
1. https://en.wikipedia.org/wiki/Use-after-free
2. https://www.blackhat.com/docs/us-14/thursday-10am/us-14-Konan-Sakuragi.pdf
References
Due to the lack of reliable exploitation data, a high risk rating is given. In the case of a local user with the ability to create/destroy arbitrary iovec devices, it is likely that only user data will be corrupted, though system data may also be at risk.
In the case of a remote user, the race condition will likely only be exploited if a denial of service attack is possible. An attacker can do something like send a large number of requests to a service that utilizes iovec objects, causing the iovec objects to be allocated and then freed repeatedly. Due to the lack of any user-level information, it is likely that this race condition only occurs under unusual and unlikely circumstances, making it unlikely to be exploited remotely.
In the case of a local user, the iovec objects are created on the stack, making it likely that user-level information will be corrupted by this use-after-free.
Timeline
Published on: 04/22/2022 16:15:00 UTC
Last modified on: 08/08/2022 16:15:00 UTC
References
- https://www.openwall.com/lists/oss-security/2022/04/22/3
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e677edbcabee849bfdd43f1602bccbecf736a646
- https://github.com/torvalds/linux/commit/e677edbcabee849bfdd43f1602bccbecf736a646
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.17.3
- http://www.openwall.com/lists/oss-security/2022/04/22/4
- https://www.debian.org/security/2022/dsa-5127
- http://www.openwall.com/lists/oss-security/2022/08/08/3
- https://ruia-ruia.github.io/2022/08/05/CVE-2022-29582-io-uring/
- https://github.com/Ruia-ruia/CVE-2022-29582-Exploit
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29582