Linux Kernel io_uring Waitid Information Exposure Vulnerability

A vulnerability in the Linux kernel's io_uring implementation of the WAITID operation can lead to the unintentional exposure of stale data to userspace. This issue arises because the operation's result fields are not properly initialized before being copied to userspace, allowing old bytes from reused command storage to leak through. The vulnerability affects Linux kernel versions 6.7 and later.

Impact

The vulnerability can cause information leakage by exposing uninitialized data from the io_kiocb command storage to userspace, which could potentially be exploited to read sensitive information or manipulate application behavior.

Reproduction

To reproduce this vulnerability, use the io_uring WAITID operation in a Linux kernel version 6.7 or later. The operation will copy uninitialized information to userspace, particularly if it completes without reporting a child event. This can be verified by checking the userspace siginfo for stale data that should not have been transmitted.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable tree.