Public bug reported:
[Impact]
Linux 6.15 shipped a new zero-copy receive subsystem for io_uring called ZCRX.
It manages a pool of network I/O vectors (niovs) using a stack: freelist[] holds
available slot indices, free_count is the depth. There is no upper bound check
on free_count.
Two separate kernel teardown paths both return niovs to the same freelist,
and when they overlap, free_count exceeds the allocated array length.
The result is a 4-byte out-of-bounds write into adjacent slab memory.
This can be used to escalate privileges.
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Massimiliano Pellizzer (mpellizzer)
Status: In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2151822
Title:
[SRU][Q/R] PrivEsc in zero-copy receive subsystem for io_uring (ZCRX)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2151822/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
