A lot of talk and discussion happens anytime a hardware manufacturer releases a new line of faster, more powerful, or more efficient computers. It’s easy to see better and better specifications and assume that’s where all the progress is made. But without improved software and algorithms, often the full potential of the hardware can’t be realized. That’s the reason for the creation of io_uring, an improved system call interface in the Linux kernel. It’s also where [chompie] went to look for exploits.
The reason for looking here, in a part of the kernel [chompie] had only recently learned about, was twofold. First, because it’s a place where user space applications interact with the kernel, and second because it’s relatively new and that means more opportunities to find bugs. The exploit involves taking advantage of a complicated asynchronous buffer system, specifically at a location where the code confuses a memory location being used by the kernel with one which is supposed to be used for user space.
To actually get this to work as an exploit, though, a much more involved process is needed to make sure the manipulation of these memory addresses results in something actually useful, but it is eventually used to gain local privilege escalation. More about it can be found in this bug report as well. Thanks to the fact that Linux is open-source, this bug can quickly be fixed and the patch rolled out to prevent malicious attackers from exploiting it. Open-source software has plenty of other benefits besides being inherently more secure, though.
Why are you calling this zero-day in 2023? The CVE is from 2021, the article describing the vulnerability as well and the kernel was patched the same year.
The post shouldn’t have gone out with such an inflammatory title, I’ve changed it to more accurately represent the linked write-up.
Church of Linux needs something to keep them grounded.
Why?
If you are going to lead with clickbait scary “zero day exploit”, at least point out that the vulnerability is from 2021, the article linked to is from early 2022, and the kernels affected are versions 5.10 through 5.14.6
Thanks
As a server manager, thanks for the deja vu and unnecessary sense of shock on a Sunday.
Seconded. But thanks to comments section for point this out when I was only a few paragraphs in.
Hahaha
Thanks. How can we upgrade or patch this on our machine if updating to v6 kernel doesnt work?
Upgrade to the latest v5 kernel? It’s been patched for a couple years.
Pretty irresponsible reporting.
The CVE is years old, and has long since been patched. The title calls it a “zero-day”, but I can’t tell if it’s clickbait or just a slow news day. A tiny amount of research would’ve prevented all of this. You know, reading the linked material and all…
Feels like Hack-A-Day is turning into the CNN of the tech world.
“Bleah!” I hope not!
This article is shameful.
I agree…
It is unfortunate that this rehash was decided to be a good way to go. Maybe you can follow up with clickbaity ‘news’ about Lindbergh making it across the Atlantic or perhaps the RADAR altimeter problems on the Apollo 11 landing, and you can sell it like it’s going to happen this afternoon.
Yeah. I’m close to setting “don’t recommend this source” for Hackaday.
This article is neat enough as is, it doesn’t need the super misleading click bait headline.
Seriously disappointing headline and content. I hope someone at Hackaday editorial thinks long and hard about this.
Transforming “Hack-A-Day” into “Hack-A-Years Ago.”
How sad. What a shame.
If you have nothing to post, please don’t post nonsense.
I was about to check for updates on my media server, after reading the article as it was e-mailed, then read the comments.