Linux Kernel io_uring Physical SQE Bounds Check Vulnerability

A vulnerability in the Linux kernel's io_uring implementation allows for improper boundary checks of submission queue entries (SQEs) when using the IORING_SETUP_SQE_MIXED option without IORING_SETUP_NO_SQARRAY. The issue arises because the logical SQ head position is validated instead of the physical SQE index. This flaw can be exploited by an unprivileged user to manipulate the SQE array, leading to a buffer over-read. Specifically, a 128-byte operation can be placed at the last physical SQE slot, causing a memory copy operation to read beyond the allocated buffer. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a buffer over-read, where memory is incorrectly accessed beyond the bounds of the allocated buffer. This can potentially be exploited to read sensitive information from memory or cause other unintended behavior in the application.

Reproduction

To reproduce this vulnerability, set up a Linux kernel environment with the stable version that includes the vulnerability. Use the io_uring interface and enable the IORING_SETUP_SQE_MIXED option without IORING_SETUP_NO_SQARRAY. An unprivileged user can then remap logical SQ positions to arbitrary physical indices using the SQE array, placing a 128-byte operation at the last physical SQE slot. This will cause the io_uring command submission process to read 64 bytes past the end of the SQE array, demonstrating the improper bounds check.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable tree.