References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD-CWE-noinfo

OR
          *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13 up to (excluding) 6.13.2

kernel.org: https://git.kernel.org/stable/c/29b95ac917927ce9f95bf38797e16333ecb489b1 Types: Patch

kernel.org: https://git.kernel.org/stable/c/2a6de94df7bfa76d9850443547e7b3333f63a16a Types: Patch

In the Linux kernel, the following vulnerability has been resolved:

io_uring: prevent reg-wait speculations

With *ENTER_EXT_ARG_REG instead of passing a user pointer with arguments
for the waiting loop the user can specify an offset into a pre-mapped
region of memory, in which case the
[offset, offset + sizeof(io_uring_reg_wait)) will be intepreted as the
argument.

As we address a kernel array using a user given index, it'd be a subject
to speculation type of exploits. Use array_index_nospec() to prevent
that. Make sure to pass not the full region size but truncate by the
maximum offset allowed considering the structure size.

https://git.kernel.org/stable/c/29b95ac917927ce9f95bf38797e16333ecb489b1

https://git.kernel.org/stable/c/2a6de94df7bfa76d9850443547e7b3333f63a16a