io_uring/af_unix: disable sending io_uring over sockets (!3561) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Felix Maurer requested to merge fmaurer-rh/centos-stream-9:RHEL-18161 into main Jan 09, 2024

JIRA: https://issues.redhat.com/browse/RHEL-18161
JIRA: https://issues.redhat.com/browse/RHEL-18162
CVE: CVE-2023-6531

File reference cycles have caused lots of problems for io_uring  
in the past, and it still doesn't work exactly right and races with  
unix_stream_read_generic(). The safest fix would be to completely  
disallow sending io_uring files via sockets via SCM_RIGHT, so there  
are no possible cycles invloving registered files and thus rendering  
SCM accounting on the io_uring side unnecessary.

Signed-off-by: Felix Maurer fmaurer@redhat.com

Admin message

io_uring/af_unix: disable sending io_uring over sockets

Merge request reports