Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2136822182.35841294.1542986449992.JavaMail.zimbra@redhat.com>
Date: Fri, 23 Nov 2018 10:20:49 -0500 (EST)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2018-16862: Linux kernel: cleancache: deleted files infoleak

Heololo,

Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team
found way for an unprivileged user to access a content of a deleted file
of any other users on a file systems with enabled cleancache.

Under certain conditions it may not drop a content of a deleted
file on its last iput(). When a newly created file gets an inode number
of the previously deleted file its read can get the content of the deleted
file saved in cleancache.

For now only Xen's tmem driver registers itself as a backend for cleancache:

$ git grep cleancache_register_ops
...
drivers/xen/tmem.c:             err = cleancache_register_ops(&tmem_cleancache_ops);
mm/cleancache.c:int cleancache_register_ops(const struct cleancache_ops *ops)

This means only Xen's guests with tmem driver active are vulnerable.

References:

https://lore.kernel.org/patchwork/patch/1011367/

https://bugzilla.redhat.com/show_bug.cgi?id=1649017

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.