Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <40516268.50353517.1531488348910.JavaMail.zimbra@redhat.com>
Date: Fri, 13 Jul 2018 09:25:48 -0400 (EDT)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2018-13405: Linux kernel: fs/inode.c:inode_init_owner()
 function mishandled a file creation in setgid directories

Heololo,

The Linux kernel through version v4.18-rc4 has a vulnerability in the
fs/inode.c:inode_init_owner() function logic that allows local users
to create files with an unintended group ownership and with group
execution and SGID permission bits set, in a scenario where a parent
directory has SGID bit set and belongs to a certain group and is
writable by a user who is not a member of this group.

In such a case a directory group non-member user can create a plain file
whose group ownership is of that group and with group execution and SGID
permission bits set. This can lead to excessive permissions granted in
case when they should not.

The intended behavior is that the non-member user can trigger creation of
a directory with group execution and SGID permission bits set whose group
ownership is of that group, but not a plain file.

The XFS filesystem is a special case here, it does not use
fs/inode.c:inode_init_owner() function from the VFS code, but uses its own
fs/xfs/xfs_inode.c:xfs_ialloc() function. The XFS filesystem behavior in
such situations is controlled by the fs.xfs.irix_sgid_inherit sysctl parameter,
and so the XFS filesystem is not vulnerable to this flaw.

[https://www.kernel.org/doc/Documentation/filesystems/xfs.txt]
fs.xfs.irix_sgid_inherit (Min: 0  Default: 0  Max: 1)
  Controls files created in SGID directories.
  If the group ID of the new file does not match the effective group
  ID or one of the supplementary group IDs of the parent dir, the
  ISGID bit is cleared if the irix_sgid_inherit compatibility sysctl
  is set.

References:

https://twitter.com/grsecurity/status/1015082951204327425

https://bugzilla.redhat.com/show_bug.cgi?id=1599161

https://bugzilla.suse.com/show_bug.cgi?id=1100416

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.