Google Limiting IO_uring Use Due To Security Vulnerabilities

While IO_uring has been one of the greatest Linux kernel innovations in recent years for helping to deliver more performant and efficient I/O, it's also been home to various security vulnerabilities. Due to ongoing security issues, this interface for asynchronous I/O is being restricted or outright disabled across Google products.

The Google Security Blog noted that 60% of the submissions to the Google Vulnerability Rewards Program have been around IO_uring. Google has paid out around 1 million USD worth of IO_uring vulnerabilities from its rewards program.

Google shows the massive security exposure of IO_uring in rewards costs and leading in the number of kernel exploits.

As a result, Google has disabled IO_uring in Chrome OS until finding a means to properly sandbox it. Google's Android meanwhile is using a seccomp-bpf filter so that apps cannot use it while future Android releases will use SELinux to limit IO_uring to select system processes. Google is also working on disabling IO_uring by default in GKE AutoPilot. Lastly, they have disabled IO_uring use on Google production servers.

The Google Security Blog went on to note:

"While io_uring brings performance benefits, and promptly reacts to security issues with comprehensive security fixes (like backporting the 5.15 version to the 5.10 stable tree), it is a fairly new part of the kernel. As such, io_uring continues to be actively developed, but it is still affected by severe vulnerabilities and also provides strong exploitation primitives. For these reasons, we currently consider it safe only for use by trusted components."

Read more on the Google Security Blog.