Linux Kernel io_uring Zero-Length Fixed Buffer Import Vulnerability

A vulnerability in the Linux kernel's io_uring implementation allows for out-of-bounds memory access when a zero-length fixed buffer is imported. The issue arises because the validation function permits buffer addresses at the end of the registered region when the length is zero. This oversight causes the import function to skip past the last entry in the bio_vec array and read from unallocated slab memory, leading to a 'slab-out-of-bounds' error. The vulnerability has been addressed by modifying the import function to reject zero-length imports, which do not contain any data to transfer.

Impact

Exploitation of this vulnerability causes a 'slab-out-of-bounds' memory access, which can lead to undefined behavior, including potential data corruption or exploitation of memory safety bugs.

Reproduction

The vulnerability can be reproduced by importing a zero-length fixed buffer into io_uring, which will trigger the out-of-bounds read from slab memory. This can be done by using the io_uring_enter system call with a fixed buffer registration that has a length of zero.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.