[PATCH] io_uring: fix missing submitter_task ownership check in bpf_io_reg()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ali Raza <elirazamumtaz@gmail.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: io-uring@vger.kernel.org, linux-kernel@vger.kernel.org,
	 bpf@vger.kernel.org, Ali Raza <elirazamumtaz@gmail.com>,
	 Pavel Begunkov <asml.silence@gmail.com>
Subject: [PATCH] io_uring: fix missing submitter_task ownership check in bpf_io_reg()
Date: Wed, 22 Apr 2026 20:53:05 +0500	[thread overview]
Message-ID: <20260422-master-v1-1-e82f47558345@gmail.com> (raw)

bpf_io_reg() installs a BPF struct_ops loop_step on any io_uring ring
the caller holds a file descriptor for.  io_uring_ctx_get_file() only
validates that the fd resolves to an io_uring file; it does not verify
the caller has authority over the ring's submitter_task.

A parallel path in io_uring_register() already enforces this:

    if (ctx->submitter_task && ctx->submitter_task != current)
        return -EEXIST;  /* register.c:733 */

Without the equivalent check in bpf_io_reg(), a local user with
CAP_PERFMON can exploit IORING_SETUP_R_DISABLED -- which defers
submitter_task assignment until IORING_REGISTER_ENABLE_RINGS -- to
install a loop_step on a ring before a more-privileged process becomes
its submitter_task.  The loop_step then executes in the privileged
process's task context and can issue arbitrary io_uring operations
(IORING_OP_WRITE, IORING_OP_READ, IORING_OP_SPLICE) against that
process's open file table.  This provides a cross-privilege io_uring
execution primitive that can serve as a component in a privilege
escalation chain when combined with a vector that induces a privileged
process to adopt an attacker-controlled ring.

Affected: v7.1-rc1+ with CONFIG_IO_URING_BPF_OPS=y.
Requires: IORING_SETUP_DEFER_TASKRUN | IORING_SETUP_SINGLE_ISSUER.

Add the ownership check in io_install_bpf(), which is called under
uring_lock, matching the locking context of the register.c check.

Signed-off-by: Ali Raza <elirazamumtaz@gmail.com>
Cc: Pavel Begunkov <asml.silence@gmail.com>
---
 io_uring/bpf-ops.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/io_uring/bpf-ops.c b/io_uring/bpf-ops.c
index 937e48bef40b..cac11c929297 100644
--- a/io_uring/bpf-ops.c
+++ b/io_uring/bpf-ops.c
@@ -162,6 +162,8 @@ static int io_install_bpf(struct io_ring_ctx *ctx, struct io_uring_bpf_ops *ops)
 		return -EOPNOTSUPP;
 	if (!(ctx->flags & IORING_SETUP_DEFER_TASKRUN))
 		return -EOPNOTSUPP;
+	if (ctx->submitter_task && ctx->submitter_task != current)
+		return -EPERM;

 	if (ctx->bpf_ops)
 		return -EBUSY;

---
base-commit: bea8d77e45a8b77f2beca1affc9aa7ed28f39b17
change-id: 20260422-master-d96fe0e8bb3c

Best regards,
--  
Ali Raza <elirazamumtaz@gmail.com>

next             reply	other threads:[~2026-04-22 15:54 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-22 15:53 Ali Raza [this message]
2026-04-22 21:05 ` [PATCH] io_uring: fix missing submitter_task ownership check in bpf_io_reg() sashiko-bot
2026-04-22 21:20 ` Gabriel Krisman Bertazi
2026-04-22 21:46   ` Jens Axboe
2026-04-22 21:58   ` Pavel Begunkov
2026-04-23  8:40     ` Ali Raza
2026-04-27  8:55       ` Pavel Begunkov
2026-04-27 19:24         ` [PATCH v2] io_uring: add submitter_task consistency check to io_install_bpf() Ali Raza
2026-04-27 21:47           ` Gabriel Krisman Bertazi
2026-04-28 12:27         ` [PATCH v3] " Ali Raza

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:937e48bef40 dfblob:cac11c92929 )
 OR (
bs:"[PATCH] io_uring: fix missing submitter_task ownership check in bpf_io_reg()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260422-master-v1-1-e82f47558345@gmail.com \
    --to=elirazamumtaz@gmail.com \
    --cc=asml.silence@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=bpf@vger.kernel.org \
    --cc=io-uring@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.