Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 Jul 2018 09:25:48 -0400 (EDT)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2018-13405: Linux kernel: fs/inode.c:inode_init_owner()
 function mishandled a file creation in setgid directories

Heololo,

The Linux kernel through version v4.18-rc4 has a vulnerability in the
fs/inode.c:inode_init_owner() function logic that allows local users
to create files with an unintended group ownership and with group
execution and SGID permission bits set, in a scenario where a parent
directory has SGID bit set and belongs to a certain group and is
writable by a user who is not a member of this group.

In such a case a directory group non-member user can create a plain file
whose group ownership is of that group and with group execution and SGID
permission bits set. This can lead to excessive permissions granted in
case when they should not.

The intended behavior is that the non-member user can trigger creation of
a directory with group execution and SGID permission bits set whose group
ownership is of that group, but not a plain file.

The XFS filesystem is a special case here, it does not use
fs/inode.c:inode_init_owner() function from the VFS code, but uses its own
fs/xfs/xfs_inode.c:xfs_ialloc() function. The XFS filesystem behavior in
such situations is controlled by the fs.xfs.irix_sgid_inherit sysctl parameter,
and so the XFS filesystem is not vulnerable to this flaw.

[https://www.kernel.org/doc/Documentation/filesystems/xfs.txt]
fs.xfs.irix_sgid_inherit (Min: 0  Default: 0  Max: 1)
  Controls files created in SGID directories.
  If the group ID of the new file does not match the effective group
  ID or one of the supplementary group IDs of the parent dir, the
  ISGID bit is cleared if the irix_sgid_inherit compatibility sysctl
  is set.

References:

https://twitter.com/grsecurity/status/1015082951204327425

https://bugzilla.redhat.com/show_bug.cgi?id=1599161

https://bugzilla.suse.com/show_bug.cgi?id=1100416

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.