CVE-2022-29582 The Linux kernel before 5.17.3 has a use-after-free in io_uring timeouts due to a race condition.

Due to the lack of reliable exploitation data, a high risk rating is given. In the case of a local user with the ability to create/destroy arbitrary iovec devices, it is likely that only user data will be corrupted, though system data may also be at risk.

In the case of a remote user, the race condition will likely only be exploited if a denial of service attack is possible. An attacker can do something like send a large number of requests to a service that utilizes iovec objects, causing the iovec objects to be allocated and then freed repeatedly. Due to the lack of any user-level information, it is likely that this race condition only occurs under unusual and unlikely circumstances, making it unlikely to be exploited remotely.

In the case of a local user, the iovec objects are created on the stack, making it likely that user-level information will be corrupted by this use-after-free.

CVE-2023-29583

In the case of a local user, this use-after-free will corrupt user data and make it difficult for an attacker to exploit this vulnerability. In the case of a remote user, if a denial of service attack is possible, this race condition will likely only occur if a large number of requests are made in a short period of time. The race condition occurs on the stack, making it unlikely to be exploited remotely.

References:

1. https://en.wikipedia.org/wiki/Use-after-free
2. https://www.blackhat.com/docs/us-14/thursday-10am/us-14-Konan-Sakuragi.pdf

References

Due to the lack of reliable exploitation data, a high risk rating is given. In the case of a local user with the ability to create/destroy arbitrary iovec devices, it is likely that only user data will be corrupted, though system data may also be at risk.
In the case of a remote user, the race condition will likely only be exploited if a denial of service attack is possible. An attacker can do something like send a large number of requests to a service that utilizes iovec objects, causing the iovec objects to be allocated and then freed repeatedly. Due to the lack of any user-level information, it is likely that this race condition only occurs under unusual and unlikely circumstances, making it unlikely to be exploited remotely.
In the case of a local user, the iovec objects are created on the stack, making it likely that user-level information will be corrupted by this use-after-free.

Timeline

Published on: 04/22/2022 16:15:00 UTC
Last modified on: 08/08/2022 16:15:00 UTC

References