Description: privilege escalation via io_uring offload of sendmsg() onto kernel thread with kernel creds
References:
 https://bugs.chromium.org/p/project-zero/issues/detail?id=1975
Notes:
 carnil> Introduced in 0fa03c624d8f ("io_uring: add support for
 carnil> sendmsg()") in 5.3-rc1. Issue fixed in 5.4.2 and 5.3.15.
Bugs:
upstream: released (5.5-rc1) [181e448d8709e517c9c7b523fcd209f24eb38ca7, d69e07793f891524c6bbf1e75b9ae69db4450953]
4.19-upstream-stable: N/A "Vulnerable code introduced later"
4.9-upstream-stable: N/A "Vulnerable code introduced later"
3.16-upstream-stable: N/A "Vulnerable code introduced later"
sid: released (5.3.15-1)
4.19-buster-security: N/A "Vulnerable code introduced later"
4.9-stretch-security: N/A "Vulnerable code introduced later"
3.16-jessie-security: N/A "Vulnerable code introduced later"