CVE-2023-23586

Name	CVE-2023-23586
Description	Due to a vulnerability in the io_uring subsystem, it is possible to leak kernel memory information to the user process. timens_install calls current_is_single_threaded to determine if the current process is single-threaded, but this call does not consider io_uring's io_worker threads, thus it is possible to insert a time namespace's vvar page to process's memory space via a page fault. When this time namespace is destroyed, the vvar page is also freed, but not removed from the process' memory, and a next page allocated by the kernel will be still available from the user-space process and can leak memory contents via this (read-only) use-after-free vulnerability. We recommend upgrading past version 5.10.161 or commit 788d0824269bef539fe31a785b1517882eafed93 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/io_uring
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
References	DLA-3349-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
linux (PTS)	buster	4.19.249-2	fixed
	buster (security)	4.19.269-1	fixed
	bullseye	5.10.158-2	vulnerable
	bullseye (security)	5.10.162-1	fixed
	bookworm, sid	6.1.20-1	fixed
linux-5.10 (PTS)	buster (security)	5.10.162-1~deb10u1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
linux	source	buster	(not affected)
linux	source	bullseye	5.10.162-1
linux	source	(unstable)	5.14.6-1
linux-5.10	source	buster	5.10.162-1~deb10u1	DLA-3349-1

Notes

[buster] - linux <not-affected> (Vulnerable code not present)
https://kernel.dance/#788d0824269bef539fe31a785b1517882eafed93
Unclear if this is just a duplicate of CVE-2023-0240. Track it
as different for now. The only CVE record references available
are identical, but with different description of the issue.