Bug 1641548 (CVE-2018-18397)

Summary: CVE-2018-18397 kernel: userfaultfd bypasses tmpfs file permissions
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, mvanderw, nmurray, plougher, pmatouse, rt-maint, rvrbovsk, security-response-team, steved, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel with files on tmpfs and hugetlbfs. An attacker is able to bypass file permissions on filesystems mounted with tmpfs/hugetlbs to modify a file and possibly disrupt normal system behavior. At this time there is an understanding there is no crash or privilege escalation but the impact of modifications on these filesystems of files in production systems may have adverse affects.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:40:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1640516, 1640517, 1640518, 1640519, 1657613, 1657614, 1657615, 1657616, 1658740    
Bug Blocks: 1640512    

Description Wade Mealing 2018-10-22 08:12:38 UTC 
A flaw was found in the Linux kernel with files on tmpfs and hugetlbfs.  An attacker is able to bypass file permissions on filesystems mounted with tmpfs/hugetlbs to modify a file and possibly disrupt normal system behaviour.

At this time there is an understanding there is no crash or priviledge escalation but the impact of modifications on these filesystems of files in production systems may have adverse affects.

A suggested upstream patch:

https://lore.kernel.org/lkml/20181126173452.26955-1-aarcange@redhat.com/T/#u

An upstream patchset:

9e368259ad988356c4c95150fafd1a06af095d98 userfaultfd: use ENOENT instead of EFAULT if the atomic copy user fails
5b51072e97d587186c2f5390c8c9c1fb7e179505 userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem
29ec90660d68bbdd69507c1c8b4e33aa299278b1 userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
e2a50c1f64145a04959df2442305d57307e5395a userfaultfd: shmem: add i_size checks
dcf7fe9d89763a28e0f43975b422ff141fe79e43 userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not set
Comment 3 Petr Matousek 2018-11-27 10:27:56 UTC 
*** Bug 1640515 has been marked as a duplicate of this bug. ***
Comment 6 Vladis Dronov 2018-12-12 18:56:13 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1658740]
Comment 7 errata-xmlrpc 2019-01-29 16:07:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:0202 https://access.redhat.com/errata/RHSA-2019:0202
Comment 8 errata-xmlrpc 2019-01-29 17:23:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0163 https://access.redhat.com/errata/RHSA-2019:0163
Comment 9 errata-xmlrpc 2019-02-12 15:28:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:0324 https://access.redhat.com/errata/RHSA-2019:0324
Comment 10 errata-xmlrpc 2019-04-23 14:30:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0831 https://access.redhat.com/errata/RHSA-2019:0831