io-uring icon indicating copy to clipboard operation
io-uring copied to clipboard

Published 20 hours ago verified publisher icon slp

`prepare_*` or `submit_requests` should be unsafe

Open quininer opened this issue 6 years ago • 3 comments

I noticed that io-uring marks both prepare_* and submit_requests as safe, but this should actually be unsafe.

Here is a POC that proof it is not safe: https://gist.github.com/quininer/dbdc7c1fde3553a911015395bc886398

quininer avatar Oct 21 '19 06:10 quininer

Thanks for bringing this up. Could you please elaborate a bit on the reasons?

slp avatar Oct 22 '19 09:10 slp

This is actually a use-after-free. You can see that 13L dropped buf, which causes the kernel to write data to the wrong memory (15L).

That is, submit should be unsafe unless we can guarantee that the buffer is valid until the IO operation is complete.

quininer avatar Oct 22 '19 09:10 quininer

You're right, thanks. I'll update the interface ASAP.

slp avatar Oct 23 '19 08:10 slp