Linux Kernel io_uring/futex Proper Cleanup on Failure Vulnerability

A vulnerability in the Linux kernel's io_uring futex handling has been addressed. The issue arose because the io_futex_data was allocated and assigned to the io_kiocb async_data field before the request was marked with the REQ_F_ASYNC_DATA flag, which indicates the field's validity. This mismatch could lead to improper handling of asynchronous data. Furthermore, when the futex handler encountered a failure, it freed the allocated data but failed to clear the async_data field, leaving it in an inconsistent state. The vulnerability has been fixed by ensuring that both the data and the flag are properly cleared in the event of an error.

Impact

The vulnerability could lead to memory management issues, where asynchronous data is not correctly handled, potentially causing inconsistencies or errors in the io_uring operations.

Reproduction

To reproduce this vulnerability, initiate an io_uring operation that involves futex wait functionality. The request will allocate io_futex_data and assign it to the async_data field without marking it as asynchronous. If the operation fails, the futex handler will free the data but not clear the async_data field, leading to the vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.