阿里云漏洞库

漏洞描述

The io_uring subsystem in the Linux kernel allowed the MAX_RW_COUNT limit to be bypassed in the PROVIDE_BUFFERS operation, which led to negative values being usedin mem_rw when reading /proc/<PID>/mem. This could be used to create a heap overflow leading to arbitrary code execution in the kernel. It was addressed via commit d1f82808877b ("io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers") (v5.13-rc1) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. It was introduced in ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") (v5.7-rc1).

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id...
https://security.netapp.com/advisory/ntap-20210716-0004/
https://ubuntu.com/security/notices/USN-4949-1
https://ubuntu.com/security/notices/USN-4950-1
https://www.openwall.com/lists/oss-security/2021/05/11/13
https://www.zerodayinitiative.com/advisories/ZDI-21-589/

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	系统	amazon_2	kernel	*		Up to (excluding) 5.10.35-31.135.amzn2
	运行在以下环境
	系统	canonical	ubuntu_linux	20.04	-
	运行在以下环境
	系统	canonical	ubuntu_linux	20.10	-
	运行在以下环境
	系统	canonical	ubuntu_linux	21.04	-
	运行在以下环境
	系统	debian_10	linux	*		Up to (excluding) 4.19.289-2
	运行在以下环境
	系统	debian_11	linux	*		Up to (excluding) 5.10.38-1
	运行在以下环境
	系统	debian_12	linux	*		Up to (excluding) 5.10.38-1
	运行在以下环境
	系统	fedora_32	kernel	*		Up to (excluding) 5.11.20-100.fc32
	运行在以下环境
	系统	fedora_33	kernel	*		Up to (excluding) 5.11.20-200.fc33
	运行在以下环境
	系统	fedora_34	kernel	*		Up to (excluding) 5.11.20-300.fc34
	运行在以下环境
	系统	kylinos_aarch64_V10	kernel	*		Up to (excluding) 4.19.90-52.15.v2207.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP3	kernel	*		Up to (excluding) 4.19.90-52.15.v2207.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10	kernel	*		Up to (excluding) 4.19.90-52.15.v2207.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP3	kernel	*		Up to (excluding) 4.19.90-52.15.v2207.ky10
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 5.11	Up to (excluding) 5.11.21
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 5.12	Up to (excluding) 5.12.4
	运行在以下环境
	系统	linux	linux_kernel	*	From (including) 5.7	Up to (excluding) 5.10.37
	运行在以下环境
	系统	opensuse_Leap_15.2	kernel	*		Up to (excluding) 5.3.18-lp152.78.1
	运行在以下环境
	系统	opensuse_Leap_15.3	kernel	*		Up to (excluding) 5.3.18-38.3.1
	运行在以下环境
	系统	suse_12_SP5	kernel	*		Up to (excluding) 4.12.14-16.59.1
	运行在以下环境
	系统	ubuntu_14.04.6_lts	linux-lts-xenial	*		Up to (excluding) 4.4.0-13.29~14.04.1
	运行在以下环境
	系统	ubuntu_21.04	linux	*		Up to (excluding) 5.11.0-1008.8

攻击路径

本地
攻击复杂度

困难
权限要求

普通权限
影响范围

全局影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

数据泄露
数据完整性

传输被破坏
服务器危害

服务器失陷
全网数量

N/A

CWE-ID	漏洞类型
CWE-787	跨界内存写

中危 linux linux_kernel 跨界内存写

漏洞描述

解决建议

参考链接

受影响软件情况