Skip to content

[LTS 9.2] CVE-2022-49791 #348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: ciqlts9_2
Choose a base branch
from
Draft

[LTS 9.2] CVE-2022-49791 #348

wants to merge 1 commit into from

Conversation

pvts-mat
Copy link
Contributor

@pvts-mat pvts-mat commented Jun 18, 2025
edited
Loading

[LTS 9.2]
CVE-2022-49791
VULN-65958

Problem

https://www.cve.org/CVERecord?id=CVE-2022-49791

In the Linux kernel, the following vulnerability has been resolved: io_uring: fix multishot accept request leaks Having REQ_F_POLLED set doesn't guarantee that the request is executed as a multishot from the polling path. Fortunately for us, if the code thinks it's multishot issue when it's not, it can only ask to skip completion so leaking the request. Use issue_flags to mark multipoll issues.

Hard to say what the issue really is about or what is leaking. Fortunately for us, it doesn't matter - see below.

Background

The io_uring module is a newly developed system call for asynchronous I/O based on ring buffer, aiming to improve performance compared to synchronous read() / write(), as well as providing a simpler interface compared to existing async AIO API and expanding its scope1, 2, 3.

Applicability analysis

Two premises lead to consider the bug not applicable to LTS 9.2:

  1. The 390ed29 commit (1) marked in 9148286 as introducing the bug was not backported to LTS 9.2 (the continuity of LTS 9.2 with the mainline of the files affected by either the bug or the fix (include/uapi/linux/io_uring.h, include/linux/io_uring.h, io_uring/io_uring.h, io_uring/io_uring.c, io_uring/net.c) ended a month before (2), on 2022-04-10, while the bug was introduced on 2022-05-14)

    $ cve-research/git-analysis.xsh \
    histories \
    -C .../kernel-src-tree \
    --file include/uapi/linux/io_uring.h include/linux/io_uring.h io_uring/io_uring.h io_uring/io_uring.c io_uring/net.c \
    --log-opts-main='--date=short' \
    --ref-opts="--no-merges" \
    kernel-mainline ciqlts9_2

…
390ed29b5 2022-05-14 io_uring: add IORING_ACCEPT_MULTISHOT for accept                              (1)
a8da73a32 2022-05-13 io_uring: add flag for allocating a fully sparse di…
1339f24b3 2022-05-13 io_uring: allow allocated fixed files for openat/op…
ee692a21e 2022-05-11 fs,io_uring: add infrastructure for uring-cmd
7a51e5b44 2022-05-09 io_uring: support CQE32 in io_uring_cqe
ebdeb7c01 2022-05-09 io_uring: add support for 128-byte SQEs
0455d4cce 2022-05-05 io_uring: add POLL_FIRST support for send/sendmsg a…
ef060ea9e 2022-04-30 io_uring: add IORING_SETUP_TASKRUN_FLAG
e1169f06d 2022-04-30 io_uring: use TWA_SIGNAL_NO_IPI if IORING_SETUP_COO…
f548a12ef 2022-04-29 io_uring: return hint on whether more data is avail…
33337d03f 2022-04-26 io_uring: add io_uring_get_opcode
cc51eaa8b 2022-04-26 io_uring: add type to op enum
1374e08e2 2022-04-24 io_uring: add socket(2) support
a56834e0f 2022-04-24 io_uring: add fgetxattr and getxattr support
e9621e2be 2022-04-24 io_uring: add fsetxattr and setxattr support
970f256ed 2022-04-24 io_uring: add support for IORING_ASYNC_CANCEL_ANY
4bf94615b 2022-04-24 io_uring: allow IORING_OP_ASYNC_CANCEL with 'fd' ke…
8e29da69f 2022-04-24 io_uring: add support for IORING_ASYNC_CANCEL_ALL
c4212f3eb 2022-04-10 io_uring: flag the fact that linked file assignment…  ~ 82eb95c78 2022-11-08  (2)
7ef66d186 2022-03-24 io_uring: remove IORING_CQE_F_MSG                     ~ 68d4d712a 2022-11-08
bcbb7bf6c 2022-03-10 io_uring: allow submissions to continue on error      ~ 92554a27e 2022-11-08
4f57f06ce 2022-03-10 io_uring: add support for IORING_OP_MSG_RING comman…  ~ f8e20c28e 2022-11-08
e7a6c00dc 2022-03-10 io_uring: add support for registering ring file des…  ~ c7f452a56 2022-11-08
04c76b41c 2021-11-24 io_uring: add option to skip CQE posting              ~ f2f9e6dbd 2022-11-02
6224590d2 2021-10-19 io_uring: add flag to not fail link after timeout     ~ d2d047980 2022-10-26
…

  2. The CONFIG_IO_URING option enabling the io_uring feature is not set in ciqlts9_2

    $ grep CONFIG_IO_URING configs/kernel*.config

configs/kernel-aarch64-64k-debug-rhel.config:# CONFIG_IO_URING is not set
configs/kernel-aarch64-64k-rhel.config:# CONFIG_IO_URING is not set
configs/kernel-aarch64-debug-rhel.config:# CONFIG_IO_URING is not set
configs/kernel-aarch64-rhel.config:# CONFIG_IO_URING is not set
configs/kernel-ppc64le-debug-rhel.config:# CONFIG_IO_URING is not set
configs/kernel-ppc64le-rhel.config:# CONFIG_IO_URING is not set
configs/kernel-s390x-debug-rhel.config:# CONFIG_IO_URING is not set
configs/kernel-s390x-rhel.config:# CONFIG_IO_URING is not set
configs/kernel-s390x-zfcpdump-rhel.config:# CONFIG_IO_URING is not set
configs/kernel-x86_64-debug-rhel.config:# CONFIG_IO_URING is not set
configs/kernel-x86_64-rhel.config:# CONFIG_IO_URING is not set

Footnotes

1 https://www.phoronix.com/news/Linux-io_uring-Fast-Efficient

2 https://stackoverflow.com/questions/13407542/is-there-really-no-asynchronous-block-i-o-on-linux

3 https://www.man7.org/linux/man-pages/man7/aio.7.html

@pvts-mat pvts-mat marked this pull request as draft June 18, 2025 20:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@pvts-mat