CVE-2023-52895 io_uring/poll: don't reissue in case of poll race on multishot request

2024-08-2106:10:35

Linux

www.cve.org

linux kernel

vulnerability

multishot request

poll race

EPSS

Percentile

9.5%

JSON

In the Linux kernel, the following vulnerability has been resolved:

io_uring/poll: don’t reissue in case of poll race on multishot request

A previous commit fixed a poll race that can occur, but it’s only
applicable for multishot requests. For a multishot request, we can safely
ignore a spurious wakeup, as we never leave the waitqueue to begin with.

A blunt reissue of a multishot armed request can cause us to leak a
buffer, if they are ring provided. While this seems like a bug in itself,
it’s not really defined behavior to reissue a multishot request directly.
It’s less efficient to do so as well, and not required to rearm anything
like it is for singleshot poll requests.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "io_uring/poll.c"
    ],
    "versions": [
      {
        "version": "c06015ebc436",
        "lessThan": "36fc7317cdb1",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "6e5aedb9324a",
        "lessThan": "8caa03f10bf9",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "io_uring/poll.c"
    ],
    "versions": [
      {
        "version": "6.1.7",
        "lessThan": "6.1.8",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]