Linux Kernel User Reference Race Condition Vulnerability in io_uring Zero-Copy Receive

A race condition vulnerability has been identified in the Linux kernel's io_uring zero-copy receive implementation. The issue arises in the io_zcrx_put_niov_uref() function, which improperly manages user reference counters using a non-atomic check-then-decrement method. This vulnerability is present in the stable version of the Linux kernel. The problem is exacerbated on symmetric multiprocessing (SMP) systems, where concurrent operations can lead to double-free errors. Specifically, while one CPU thread (holding the request queue lock) is refilling user references, another thread (not holding the lock) can scrub the same references, creating a window for exploitation. This mismanagement allows the same memory buffer to be freed twice, causing memory corruption by writing out of bounds into adjacent memory areas.

Impact

Exploitation of this vulnerability leads to a double-free condition, causing memory corruption by overwriting data in adjacent memory areas, which could potentially be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by creating a scenario where one CPU thread refills user references in the io_uring zero-copy receive path while another thread simultaneously scrubs those references, without proper synchronization. This can be achieved by manipulating the request queue locks and user reference counters, creating a race condition that the vulnerability exploits.

Remediation

The vulnerability has been fixed by replacing the non-atomic check-then-decrement pattern with an atomic compare-and-swap loop that safely decrements user references. Users should upgrade to the latest patched version of the Linux kernel.