Bug 1953022 (CVE-2021-3543)

Summary: CVE-2021-3543 kernel: nitro_enclaves stale file descriptors on failed usercopy
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, blc, bmasney, brdeoliv, bskeggs, carnil, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarodwilson, jeremy, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rvrbovsk, security-response-team, steved, tomckay, walters, wcosta, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 4.18.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to crash the system or escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-01 11:32:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1953717, 1953718, 1953719, 1955580, 1956379, 1956380    
Bug Blocks: 1952029, 1958957    

Description Guilherme de Almeida Suckevicz 2021-04-23 18:21:24 UTC 
A failing usercopy of the slot uid will lead to a stale entry in the
file descriptor table as put_unused_fd() won't release it. This enables
userland to refer to a dangling 'file' object through that still valid
file descriptor, leading to all kinds of use-after-free exploitation
scenarios.

Exchanging put_unused_fd() for close_fd(), ksys_close() or alike won't
solve the underlying issue, as the file descriptor might have been
replaced in the meantime, e.g. via userland calling close() on it
(leading to a NULL pointer dereference in the error handling code as
'fget(enclave_fd)' will return a NULL pointer) or by dup2()'ing a
completely different file object to that very file descriptor, leading
to the same situation: a dangling file descriptor pointing to a freed
object -- just in this case to a file object of user's choosing.

Generally speaking, after the call to fd_install() the file descriptor
is live and userland is free to do whatever with it. We cannot rely on
it to still refer to our enclave object afterwards. In fact, by abusing
userfaultfd() userland can hit the condition without any racing and
abuse the error handling in the nitro code as it pleases.
Comment 5 Guilherme de Almeida Suckevicz 2021-04-30 12:43:24 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1955580]
Comment 6 Alex 2021-05-02 14:45:37 UTC 
External References:

https://lore.kernel.org/lkml/20210429165941.27020-2-andraprs@amazon.com/
Comment 9 Alex 2021-05-03 15:59:46 UTC 
Statement:

This flaw is rated as having a Moderate impact because in the default configuration, the issue can only be triggered by a privileged local user (with access to the ne group if this user manages Enclaves VMs).
Comment 22 errata-xmlrpc 2021-06-01 09:43:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2169 https://access.redhat.com/errata/RHSA-2021:2169
Comment 23 errata-xmlrpc 2021-06-01 11:04:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2168 https://access.redhat.com/errata/RHSA-2021:2168
Comment 24 Product Security DevOps Team 2021-06-01 11:32:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3543