Linux Kernel io_uring Use-After-Free Vulnerability in Eventfd Handling

A use-after-free vulnerability has been identified in the Linux kernel's io_uring implementation, specifically in how eventfd signals are managed. The issue arises because the function io_eventfd_do_signal() frees a reference-counted object immediately when its reference count drops to zero, without waiting for the necessary RCU grace period. This behavior can lead to a race condition, allowing a user-space thread to access a freed object, potentially causing memory corruption or other unintended consequences.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where a freed object is accessed, causing memory corruption. This type of vulnerability can often be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

The vulnerability can be reproduced by creating an io_uring instance and registering an eventfd. After submitting poll work for the eventfd, the eventfd can be unregistered, which drops the reference count. If the timing is right, the io_eventfd_do_signal() function can be called while the reference count is being manipulated, leading to a use-after-free condition. This can be done by patching the kernel to introduce delays, allowing the race condition to occur.

Remediation

Users can upgrade to Linux kernel versions 6.12.10, 6.6.72, or 6.1.125, where this vulnerability has been fixed.