CVE-2024-0582: 
Linux Debian vulnerability analysis and mitigation

A memory leak flaw was discovered in the Linux kernel's iouring functionality, specifically in how a user registers a buffer ring with IORINGREGISTERPBUFRING, mmap() it, and then frees it. The vulnerability was introduced in Linux kernel version 6.4 and was fixed in version 6.6.5. The issue was discovered by Jann Horn from Google Project Zero in November 2023 (Project Zero, NVD).

The vulnerability occurs because the iouring subsystem uses remappfnrange() for mapping buffer rings into userspace, creating a VMPFNMAP mapping where the MM subsystem treats the mapping as opaque page frame numbers not associated with any corresponding pages. When a buffer ring is unregistered using IORINGUNREGISTERPBUF_RING, the kernel frees the memory and returns it to the page allocator without checking if the userspace mapping has been removed. This leaves the application with a valid memory mapping to freed pages that can be reallocated by the kernel for other purposes. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

This vulnerability allows a local user to crash the system or potentially escalate their privileges. The flaw enables an attacker to read and write to freed pages that have been returned to the page allocator, which can be reallocated by the kernel for other purposes, leading to a use-after-free condition (Ubuntu Security, NVD).

The vulnerability was fixed in Linux kernel version 6.6.5 through commit c392cbecd8eca4c53f2bf508731257d9d0a21c2d. The fix involves deferring the release of mapped buffer rings until the io_uring context is freed, ensuring that no userspace mapping can exist when the memory is freed. Systems should be updated to a kernel version containing this fix (Kernel Commit).