Re: [PATCH] io_uring: fix missing submitter_task ownership check in bpf_io_reg()

Next message: Marco Elver: "Re: kcsan -Wmaybe-uninitialized warning in ntfs3"
Previous message: Yosry Ahmed: "Re: [PATCH v2 3/3] KVM: Take gpa_t in kvm_vcpu_map[_readonly]()"
In reply to: Gabriel Krisman Bertazi: "Re: [PATCH] io_uring: fix missing submitter_task ownership check in bpf_io_reg()"
Next in thread: Pavel Begunkov: "Re: [PATCH] io_uring: fix missing submitter_task ownership check in bpf_io_reg()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Wed Apr 22 2026 - 17:46:28 EST

On 4/22/26 3:20 PM, Gabriel Krisman Bertazi wrote:
> Ali Raza <elirazamumtaz@xxxxxxxxx> writes:
>
>> bpf_io_reg() installs a BPF struct_ops loop_step on any io_uring ring
>> the caller holds a file descriptor for. io_uring_ctx_get_file() only
>> validates that the fd resolves to an io_uring file; it does not verify
>> the caller has authority over the ring's submitter_task.
>>
>> A parallel path in io_uring_register() already enforces this:
>>
>> if (ctx->submitter_task && ctx->submitter_task != current)
>> return -EEXIST; /* register.c:733 */
>
> How is this a protection? I thought ctx->submitter_task is about
> IORING_SETUP_SINGLE_ISSUER. there is no permission or capability over
> it against other processes.
>
>> Without the equivalent check in bpf_io_reg(), a local user with
>> CAP_PERFMON can exploit IORING_SETUP_R_DISABLED -- which defers
>
> I'd argue this is a non-issue. If you have CAP_PERFMON, you are able to
> mess with the process in many ways beyond this. Otherwise, how a
> process would be able to get the fd in the first place?

It is a non-issue. It relies entirely on an unrealistic scenarior. Yes
if you have a privileged task that can take over a non-privileged ring
fd, yes than you can do bad things. News at 11...

--
Jens Axboe