Cyber security

Exploring Kernel Vulnerabilities : A Deep Dive Into io_uring Buffer Management

The io_uring_register syscall supports various registration ops to allow a user to register different resources that io_uring can use.

Specifically, with IORING_REGISTER_PBUF_RING combined with the IOU_PBUF_RING_MMAP flag, the kernel allocates pages for an io_buffer_list and attaches it to the io_ring_ctx under a given bgid.

int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg)
{
 struct io_uring_buf_reg reg;
 struct io_buffer_list *bl, *free_bl = NULL;
 int ret;

 if (copy_from_user(&reg, arg, sizeof(reg)))
  return -EFAULT;
/*...*/    
 if (!(reg.flags & IOU_PBUF_RING_MMAP))
  ret = io_pin_pbuf_ring(&reg, bl);
 else
  ret = io_alloc_pbuf_ring(&reg, bl); // <-- IOU_PBUF_RING_MMAP

 if (!ret) {
  bl->nr_entries = reg.ring_entries;
  bl->mask = reg.ring_entries - 1;

  io_buffer_add_list(ctx, bl, reg.bgid); // <-- add buffer_list to ctx with bgid
  return 0;
 }

 kfree(free_bl);
 return ret;
}

In the io_alloc_pbuf_ring() function below, the kernel uses __get_free_pages() to allocate pages for the buffer ring:

static int io_alloc_pbuf_ring(struct io_uring_buf_reg *reg,
         struct io_buffer_list *bl)
{
 gfp_t gfp = GFP_KERNEL_ACCOUNT | __GFP_ZERO | __GFP_NOWARN | __GFP_COMP;
 size_t ring_size;
 void *ptr;

 ring_size = reg->ring_entries * sizeof(struct io_uring_buf_ring);
 ptr = (void *) __get_free_pages(gfp, get_order(ring_size));
 if (!ptr)
  return -ENOMEM;

 bl->buf_ring = ptr;
 bl->is_mapped = 1;
 bl->is_mmap = 1;
 return 0;
}

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Leave a Comment
Share
Published by
Varshini
Tags: cybersecurityinformationsecuritykalilinuxkalilinuxtools
2 days ago

Recent Posts

AgentTesla : The Mechanics And Menace Of A Persistent Cyber Threat

AgentTesla is a sophisticated and persistent malware that has been a significant cybersecurity threat since…

15 hours ago

Silent Execution Of cmd.exe With Redirected STDERR And STDOUT

The ability to execute commands silently using cmd.exe while redirecting both standard output (STDOUT) and…

15 hours ago

Process Inject Kit : Elevating Penetration Testing With Advanced Injection Capabilities

The Process Inject Kit is a specialized toolkit designed to enhance and customize process injection…

15 hours ago

OneScan : A Comprehensive Tool For Recursive Directory Scanning

OneScan is an innovative Burp Suite plugin designed to enhance vulnerability detection in deeply nested…

15 hours ago

Commander – Secure Python C2 Framework

Commander is a command and control framework (C2) written in Python, Flask and SQLite. It comes…

21 hours ago

Zizmor : Enhancing Security In GitHub Actions With Static Analysis

zizmor is a static analysis tool for GitHub Actions. It can find many common security…

21 hours ago