Bug 1599161 (CVE-2018-13405)

Summary: CVE-2018-13405 kernel: Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, airlied, aquini, bhu, blc, bskeggs, dbaker, dhoward, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, john.j5live, jokerman, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, mmilgram, nmurray, plougher, rt-maint, rvrbovsk, skozina, slawomir, steved, sthangav, trankin, vdronov, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20180705,reported=20180709,source=suse,cvss3=4.4/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N,cwe=CWE-284,rhel-5/kernel=wontfix,rhel-6/kernel=affected,rhel-7/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=wontfix,rhel-alt-7/kernel-alt=affected,rhel-8/kernel=notaffected,fedora-all/kernel=affected,openshift-online-3/kernel=notaffected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:32:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1600952, 1600956, 1725179, 1725180, 1727387, 1730052, 1599162, 1599163, 1600951, 1600953, 1600954, 1600955, 1600957, 1600958, 1727386    
Bug Blocks: 1599165    

Description Sam Fowler 2018-07-09 05:50:44 UTC
The Linux kernel has a vulnerability in the fs/inode.c:inode_init_owner() function logic that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not.

References:

http://seclists.org/oss-sec/2018/q3/35

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

Comment 1 Sam Fowler 2018-07-09 05:51:54 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1599162]

Comment 7 Vladis Dronov 2018-07-13 13:14:35 UTC
Note:

The Linux kernel has a vulnerability in the fs/inode.c:inode_init_owner() function logic that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory has SGID bit set and belongs to a certain group and is writable by a user who is not a member of this group.

In such a case a directory group non-member user can create a plain file whose group ownership is of that group and with group execution and SGID permission bits set. This can lead to excessive permissions granted in case when they should not.

The intended behavior is that the non-member user can trigger creation of a directory with group execution and SGID permission bits set whose group ownership is of that group, but not a plain file.

The above is true for filesystems using fs/inode.c:inode_init_owner() function from the VFS code, like EXT4 and tmpfs filesystems. Some other filesystems may not be using this code. For example, the XFS filesystem is a special case here, it does not use fs/inode.c:inode_init_owner(), but uses its own fs/xfs/xfs_inode.c:xfs_ialloc() function. The XFS filesystem behavior in such situations is controlled by the fs.xfs.irix_sgid_inherit sysctl parameter:

[https://www.kernel.org/doc/Documentation/filesystems/xfs.txt]
fs.xfs.irix_sgid_inherit (Min: 0  Default: 0  Max: 1)
  Controls files created in SGID directories.
  If the group ID of the new file does not match the effective group
  ID or one of the supplementary group IDs of the parent dir, the
  ISGID bit is cleared if the irix_sgid_inherit compatibility sysctl
  is set.

Comment 8 errata-xmlrpc 2018-10-30 07:35:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3083 https://access.redhat.com/errata/RHSA-2018:3083

Comment 9 errata-xmlrpc 2018-10-30 07:41:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3096 https://access.redhat.com/errata/RHSA-2018:3096

Comment 10 errata-xmlrpc 2018-10-30 09:03:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948

Comment 11 errata-xmlrpc 2019-04-09 13:34:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:0717 https://access.redhat.com/errata/RHSA-2019:0717

Comment 14 errata-xmlrpc 2019-08-13 17:43:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:2476 https://access.redhat.com/errata/RHSA-2019:2476