Bug 1746777 (CVE-2019-15538)

Summary: CVE-2019-15538 kernel: denial of service in in xfs_setattr_nonsize in fs/xfs/xfs_iops.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, masami256, matt, mchehab, mcressma, mjg59, mlangsdo, nmurray, plougher, rvrbovsk, steved, williams, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in XFS File system, in this problem acquired lock ILOCK was not freed/unlock when the call to xfs_qm_vop_chown_reserve fails and the lock is still held and this can let to denial to access for that device.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1804181, 1746779    
Bug Blocks: 1746781    

Description Dhananjay Arunesh 2019-08-29 09:06:41 UTC
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.

Reference:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1fb254aa983bf190cfd685d40c64a480a9bafaee
https://github.com/torvalds/linux/commit/1fb254aa983bf190cfd685d40c64a480a9bafaee
https://lore.kernel.org/linux-xfs/20190823192433.GA8736@eldamar.local
https://lore.kernel.org/linux-xfs/20190823035528.GH1037422@magnolia/

Comment 1 Dhananjay Arunesh 2019-08-29 09:07:19 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1746779]

Comment 4 Rohit Keshri 2020-02-18 12:32:44 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread
installation base or stability.