Researcher Details Linux Kernel Privilege Escalation Vulnerability (CVE-2022-1786)

by do son · Published October 20, 2022 · Updated January 29, 2023

A researcher @kylebot has detailed a now-patched security flaw in the Linux Kernel that could be exploited by an attacker to gain elevated privileges or cause a denial of service condition.

Tracked as CVE-2022-1786 (CVSS score: 7.8), the bug was addressed by the Linux kernel security team, while NetApp was aware of the public discussion of this vulnerability in July.

“A use-after-free flaw was found in the Linux kernel’s io_uring subsystem in the way a user sets up a ring with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a local user to crash or escalate their privileges on the system,” according to the MITRE website.

The root cause of the bug is a misuse of the identity model in io_uring. When preparing a request, the kernel uses the identity of the current task instead of that of the requested task, which causes type confusion and invalid-free when the request is being destroyed.

The io_uring Asynchronous I/O (AIO) framework is a new Linux I/O interface, first introduced in the upstream Linux kernel version 5.1 (March 2019). It provides a low-latency and feature-rich interface for applications that require AIO functionality but prefer the kernel to perform the I/O.

“io_uring is designed to fill the gap. It allows us to submit a series of IO operations (or actions related to IO operations such as timeout) to the kernel directly, and the kernel will perform them in parallel in different task contexts and finish the needed operations rapidly, without privilege transition,” the researcher wrote.

“This design allows io_uring to achieve a much faster IO performance compared with the previous aio implementation [0], thus it is growing in popularity among developers and experiencing rapid development. However, rapid development == more bugs. In the last two years, we have seen many severe io_uring bugs that can lead to privilege escalation.”

As a result, successful exploitation of CVE-2022-1786 via executing a specially-crafted program could lead to a system crash. The bug affects Linux kernel v5.10. @chompie1337 pointed out that io_uring was accessible by unprivileged users [10] in Android back in 2021.

@kylebot has further made available proof-of-concept (PoC) instructions to trigger the security hole.