Executive Summary

This vulnerability exists in the Linux kernel's io_uring/net subsystem, specifically in the io_bundle_nbufs() function. It arises because a length value (sqe->len), which is an unsigned 32-bit integer (__u32), is stored into a signed integer (int) field (sr->len). When userspace passes a length value greater than INT_MAX (for example, 0xFFFFFFFF), this causes an integer overflow, turning sr->len into a negative value.

This negative value then propagates through several functions, causing size variables to become extremely large due to type conversions and lack of proper clamping. Eventually, this leads to an infinite loop in io_bundle_nbufs() where the function reads beyond the allocated memory (slab-out-of-bounds read) because the loop counter increases instead of decreasing.

The issue is fixed by rejecting negative sr->len values early in the processing functions io_sendmsg_prep() and io_recvmsg_prep(), since any sqe->len value greater than INT_MAX is invalid.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a slab-out-of-bounds read in the Linux kernel, which means the kernel reads memory beyond the allocated buffer. Such out-of-bounds reads can cause system instability, crashes, or potentially expose sensitive kernel memory contents to an attacker.

Because the issue involves an infinite loop caused by incorrect length handling, it may also lead to denial of service (DoS) conditions by exhausting system resources or causing kernel panics.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed by rejecting negative sr->len values early in both io_sendmsg_prep() and io_recvmsg_prep(). Since sqe->len is __u32, any value greater than INT_MAX indicates overflow and is not a valid length.

Therefore, the immediate mitigation step is to update the Linux kernel to a version that includes this fix.

Useful 0 Not Useful 0