You gave me a u32. I gave you root. (io_uring ZCRX freelist LPE) · ze3ter
Linux 6.15 shipped a new zero-copy receive subsystem for io_uring called ZCRX. It manages a pool of network I/O vectors (niovs) using a stack:
freelist[]holds available slot indices,free_countis the depth. There is no upper bound check onfree_count. Two separate kernel teardown paths both return niovs to the same freelist, and when they overlap,free_countexceeds the allocated array length. The result is a 4-byte out-of-bounds write into adjacent slab memory.The OOB value is a niov index, a small integer between 0 and N-1. That sounds useless. It is not.
By choosing the area size at registration time, you choose N, which chooses the slab cache the freelist lives in, which chooses what object sits next to it. By spraying the right object into that cache at the right time, you turn a write of the integer
7into a corrupted refcount, then into a heap read, then into a KASLR break, then intomodprobe_pathpointing at your script, then into uid=0.Affected: Linux 6.15 – 6.19,
CONFIG_IO_URING_ZCRX=y, real ZCRX NIC (mlx5/ice/nfp),CAP_NET_ADMIN. Fix: commit770594e(not yet in any stable branch at time of writing).
好消息是没有copy fail和dirty frag影响那么广泛
3 个帖子 - 3 位参与者