Linux Kernel io_uring Filename Leak Vulnerability in __io_openat_prep()

A memory leak vulnerability has been identified in the Linux kernel's io_uring implementation, specifically within the __io_openat_prep() function. This issue arises when the function allocates a struct filename using getname(). If the file is in the fixed file table and has the O_CLOEXEC flag set, the function exits early without cleaning up the allocated memory, leading to a leak. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability causes a memory leak, where allocated resources are not properly released, potentially leading to increased memory usage and degradation of system performance over time.

Reproduction

The vulnerability can be reproduced by invoking the __io_openat_prep() function in a scenario where a file is added to the fixed file table with the O_CLOEXEC flag enabled. This will trigger the function to return early, leaving the allocated struct filename uncleaned and causing a memory leak.

Remediation

The vulnerability has been addressed by modifying the __io_openat_prep() function to set the REQ_F_NEED_CLEANUP flag immediately after successfully allocating the struct filename. This change ensures that the filename and other necessary resources are properly cleaned up when the request is completed.