Bug 1649017 (CVE-2018-16862)

Summary: CVE-2018-16862 kernel: cleancache: Infoleak of deleted files after reuse of old inodes
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, ewk, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, john.j5live, jonathan, josef, jross, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rt-maint, rvrbovsk, security-response-team, steved, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:42:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1653122    
Bug Blocks: 1649018    

Description Pedro Sampaio 2018-11-12 17:47:55 UTC 
A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and so the old file data instead of the new one.

References:

https://seclists.org/oss-sec/2018/q4/169

A suggested patch:

https://lore.kernel.org/patchwork/patch/1011367/
Comment 3 Vladis Dronov 2018-11-23 15:10:08 UTC 
Acknowledgments:

Name: Vasily Averin (Virtuozzo Kernel Team), Pavel Tikhomirov (Virtuozzo Kernel Team)
Comment 4 Vladis Dronov 2018-11-23 15:32:16 UTC 
Note:

While RHEL-ALT and RHEL-8 are vulnerable to this flaw, only Xen's [tmem] driver is a possible backend for the CleanCache subsystem. So, a vulnerable configuration is RHEL as a Xen's guest. According to https://access.redhat.com/certified-hypervisors this is not a supported configuration, and so the flaw is not currently planned to be addressed in future updates.
Comment 5 Sam Fowler 2018-11-26 00:05:03 UTC 
External Reference:

https://seclists.org/oss-sec/2018/q4/169
Comment 6 Sam Fowler 2018-11-26 00:06:11 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1653122]