Bug 1643988 (CVE-2018-18690)

Summary: CVE-2018-18690 kernel: filesystem corruption due to an unchecked error condition during an xfs attribute change
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, lgoncalv, linville, mchehab, mcressma, mjg59, mlangsdo, nmurray, rt-maint, rvrbovsk, steved, williams, wmealing, zlang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 4.17-rc4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:20:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1644116, 1740254, 1740255, 1740256    
Bug Blocks: 1643989    

Description Laura Pardo 2018-10-29 16:47:35 UTC 
A vulnerability was found in the Linux kernel before 4.17, a local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE operations with conversion of an attr from short to long form. 


References:
https://bugzilla.kernel.org/show_bug.cgi?id=199119

Upstream Patch:
https://github.com/torvalds/linux/commit/7b38460dc8e4eafba06c78f8e37099d3b34d473c
Comment 5 Wade Mealing 2018-10-30 04:11:33 UTC 
Red Hat Enterprise Linux 7 is currently not affected by this flaw, but it did affect it earlier.

This issue was unintentionally fixed in the release of kernel-3.10.0-912.el7, it will be fixed in all 3.10.0-912 versions and newer.
Comment 6 Zorro Lang 2018-11-09 03:45:33 UTC 
(In reply to Wade Mealing from comment #5)
> Red Hat Enterprise Linux 7 is currently not affected by this flaw, but it
> did affect it earlier.
> 
> This issue was unintentionally fixed in the release of
> kernel-3.10.0-912.el7, it will be fixed in all 3.10.0-912 versions and newer.

I think there's 'unintentionally fix' bug :) please check bug 1590625.

Thanks,
Zorro
Comment 7 Zorro Lang 2018-11-09 03:46:44 UTC 
(In reply to Zorro Lang from comment #6)
> (In reply to Wade Mealing from comment #5)
> > Red Hat Enterprise Linux 7 is currently not affected by this flaw, but it
> > did affect it earlier.
> > 
> > This issue was unintentionally fixed in the release of
> > kernel-3.10.0-912.el7, it will be fixed in all 3.10.0-912 versions and newer.
> 
> I think there's 'unintentionally fix' bug :) please check bug 1590625.
   ^
  don't

> 
> Thanks,
> Zorro
Comment 8 Wade Mealing 2019-03-06 04:15:00 UTC 
@Zorro, 

Maybe.. but to me it looked to be fixed as a side-affect at the time.  Done is done.