Bug 1597766 (CVE-2018-13093)

Summary: CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, airlied, aquini, bhu, bskeggs, dbaker, dhoward, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, john.j5live, jokerman, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, nmurray, plougher, rvrbovsk, skozina, slawomir, steved, sthangav, trankin, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 4.18-rc1 Doc Type: If docs needed, set a value
Doc Text:
An issue was discovered in the XFS filesystem in fs/xfs/xfs_icache.c in the Linux kernel. There is a NULL pointer dereference leading to a system panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during an allocation.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:18:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1601782, 1597767, 1597769, 1601780, 1601781, 1601783    
Bug Blocks: 1597770    

Description Laura Pardo 2018-07-03 15:07:07 UTC
An issue was discovered in the XFS filesystem in fs/xfs/xfs_icache.c in the Linux kernel. There is a NULL pointer dereference leading to a system panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during an allocation.

References:

https://bugzilla.kernel.org/show_bug.cgi?id=199367 	

Upstream patches:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=afca6c5b2595fc44383919fba740c194b0b76aff

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ee457001ed6c (related, mentioned in the first patch)

Comment 1 Laura Pardo 2018-07-03 15:08:43 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1597767]

Comment 7 Vladis Dronov 2018-07-17 09:01:39 UTC
Notes:

While the flaw reproducer works when run as a privileged user (the "root"), this requires a mount of a certain filesystem image. An unprivileged attacker cannot do this even from a user+mount namespace:

$ unshare -U -r -m
# mount -t xfs fs.img mnt/
mount: mnt/: mount failed: Operation not permitted.

The article https://lwn.net/Articles/652468/ discusses unprivileged user mounts and hostile filesystem images:
 
> ... for the most part, the mount() system call is denied to processes running
> within user namespaces, even if they are privileged in their namespaces.

It also states that unprivileged filesystem mounts are not allowed as of now in the Linux kernel and probably won't be allowed in a future. Until that such flaws are considered as not exploitable:

> There were no proposals for solutions to the hostile-filesystem problem.
> But, in the absence of some sort of assurance that they can be made safe,
> unprivileged filesystem mounts are unlikely to gain acceptance; even if the
> feature gets into the kernel, distributions would be likely to disable it.

On the other hand, there is a potential possibility that still an attacker can trick a regular user to mount a malicious filesystem image, like trick him to insert an usb-flash-drive with a forged filesystem to a desktop system which will auto-mount it. In case this results only in a system crash (a DoS due to, for example, a NULL pointer dereference) the flaw impact is low but it still exists. In case of a flaw which results in a privilege escalation the flaw's impact is higher.

So the Red Hat would still consider bugs which require mounting a filesystem image to exploit as security flaws, though with Low severity.

Comment 8 errata-xmlrpc 2019-08-06 12:04:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2029

Comment 9 errata-xmlrpc 2019-08-06 12:06:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2043

Comment 10 Product Security DevOps Team 2019-08-06 13:18:54 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-13093