A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the Linux kernel that allows local users to create files for the XFS file-system with unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=2004810
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2027677]
This was fixed in the 5.11 series kernel rebases for Fedora.
Hi (In reply to Marian Rehak from comment #0) > Patch for CVE-2018-13405 was insufficient because it does not cover XFS, XFS > always inherits the SGID bit by not using generic inode_init_owner() when > creating files inside a setgid directory. > > Reference: > > https://bugzilla.redhat.com/show_bug.cgi?id=2004810 Would it be possible to open up the restricted bug? From a quick research it looks that the needed commit is https://git.kernel.org/linus/01ea173e103edd5ec41acec65b9261b87e123fc2 commit 01ea173e103edd5ec41acec65b9261b87e123fc2 Author: Christoph Hellwig <hch> Date: Fri Jan 22 16:48:18 2021 -0800 xfs: fix up non-directory creation in SGID directories XFS always inherits the SGID bit if it is set on the parent inode, while the generic inode_init_owner does not do this in a few cases where it can create a possible security problem, see commit 0fa3ecd87848 ("Fix up non-directory creation in SGID directories") for details. Switch XFS to use the generic helper for the normal path to fix this, just keeping the simple field inheritance open coded for the case of the non-sgid case with the bsdgrpid mount option. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Christian Brauner <christian.brauner> Signed-off-by: Christoph Hellwig <hch> Reviewed-by: Darrick J. Wong <djwong> Signed-off-by: Darrick J. Wong <djwong> It as well refers explicitly to 0fa3ecd87848 which was the fix for CVE-2018-13405. The above commit landed in 5.12-rc1 (so I guess if you can confirm it is what is intendend) the above information on 5.11-rc1 needs to be corrected. Is the above correct?
In reply to comment #9: > Hi > > (In reply to Marian Rehak from comment #0) > > Patch for CVE-2018-13405 was insufficient because it does not cover XFS, XFS > > always inherits the SGID bit by not using generic inode_init_owner() when > > creating files inside a setgid directory. > > > > Reference: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2004810 > > Would it be possible to open up the restricted bug? From a quick research > it looks that the needed commit is > > https://git.kernel.org/linus/01ea173e103edd5ec41acec65b9261b87e123fc2 > > commit 01ea173e103edd5ec41acec65b9261b87e123fc2 > Author: Christoph Hellwig <hch> > Date: Fri Jan 22 16:48:18 2021 -0800 > > xfs: fix up non-directory creation in SGID directories > > XFS always inherits the SGID bit if it is set on the parent inode, while > the generic inode_init_owner does not do this in a few cases where it can > create a possible security problem, see commit 0fa3ecd87848 > ("Fix up non-directory creation in SGID directories") for details. > > Switch XFS to use the generic helper for the normal path to fix this, > just keeping the simple field inheritance open coded for the case of the > non-sgid case with the bsdgrpid mount option. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Reported-by: Christian Brauner <christian.brauner> > Signed-off-by: Christoph Hellwig <hch> > Reviewed-by: Darrick J. Wong <djwong> > Signed-off-by: Darrick J. Wong <djwong> > > It as well refers explicitly to 0fa3ecd87848 which was the fix for > CVE-2018-13405. > > The above commit landed in 5.12-rc1 (so I guess if you can confirm it is > what is intendend) the above information on 5.11-rc1 needs to be corrected. > > Is the above correct? I added "redhat" to the viewers of the bug, can you open it now? Regarding the patch, I think these two: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01ea173e103e https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848 , so yes "01ea173e103edd5ec41acec65b9261b87e123fc2". Also, try to check (by name since id different from upstream) if any of these actual: List of commits available on kernel-4.18.0-348.6.el8 (1/1): Related commit: 4dd87eb1cb9a ("Merge: xfs: fix up non-directory creation in SGID directories") Related commit: 3ff97d12b58d ("xfs: fix up non-directory creation in SGID directories") Related commit: adac708bdeee ("xfs: kill ialloced in xfs_dialloc()") Related commit: 5b4938f6059b ("xfs: spilt xfs_dialloc() into 2 functions") Related commit: 05fdea9ecdb2 ("xfs: move xfs_dialloc_roll() into xfs_dialloc()") Related commit: abfd8d60ca5a ("xfs: move on-disk inode allocation out of xfs_ialloc()") Related commit: 11615b1bc7d6 ("xfs: introduce xfs_dialloc_roll()") Related commit: 5c67cccb597d ("xfs: convert noroom, okalloc in xfs_dialloc() to bool") Related commit: 21ee99e20bbc ("xfs: check tp->t_dqinfo value instead of the XFS_TRANS_DQ_DIRTY flag")
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:4829 https://access.redhat.com/errata/RHSA-2022:4829
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:4835 https://access.redhat.com/errata/RHSA-2022:4835
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-4037