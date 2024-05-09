As Ksplice engineers, we often have to look at completely different sub-systems of the Linux kernel to patch them, either to fix a vulnerability or to add trip wires. As a result, we gain a lot of knowledge in various areas and this time we’ll share our experience regarding a use-after-free issue stemming from the interaction between Unix garbage collection (GC) and the io_uring component, as we’ve gained insights through a Known Exploit Detection Update.

To explain the interaction between various components, we will begin by exploring the kernel implementation for sending file descriptors. Additionally, we will examine the function responsible for registering file descriptors with io_uring using the IORING_REGISTER_FILES opcode. Next, we’ll take a closer look at the detection and various methods for cleaning up cycles, including the Unix garbage collection code. Following this exploration, we’ll discuss a use-after-free scenario that results from the interaction between Unix GC and io_uring.