Bug 1468283 - (CVE-2017-7533) CVE-2017-7533 kernel: a race between inotify_handle_event() and sys_rename()
CVE-2017-7533 kernel: a race between inotify_handle_event() and sys_rename()
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170803,repo...
: Security
Depends On: 1470403 1478098 1471130 1471131 1471132 1471133 1477764 1477766 1477767 1478086 1478096 1478097 1478099 1478100
Blocks: 1468288
  Show dependency treegraph
 
Reported: 2017-07-06 10:55 EDT by Pedro Sampaio
Modified: 2017-10-10 08:46 EDT (History)
24 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A race condition was found in the Linux kernel, present since v3.14-rc1 through v4.12. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the next slab data or the slab's free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
dmesg-slub-debug.txt (44.53 KB, text/plain)
2017-07-12 08:04 EDT, Vladis Dronov
no flags Details

  None (edit)
Description Pedro Sampaio 2017-07-06 10:55:10 EDT
A race condition was found in Linux kernel present since v3.14-rc1 upto v4.12 including. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the the next slab data or the slab's free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation.

The researchers of this flaw are Leilei Lin from Alibaba Group and Fan Wu and Shixiong Zhao from a research group supervised by Dr. Heming Cui of the Department of Computer Science, The University of Hong Kong. Thanks to Rui Gu and Prof.Junfeng Yang from Columbia University for tools and suggestions.

References:

http://seclists.org/oss-sec/2017/q3/240

https://access.redhat.com/security/vulnerabilities/3112931

https://patchwork.kernel.org/patch/9755753/

https://patchwork.kernel.org/patch/9755757/

https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1408967.html

https://bugzilla.kernel.org/show_bug.cgi?id=196279 (restricted access)

Upstream patch: 49d31c2f389a

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=49d31c2f389acfe83417083e1208422b4091cd9
Comment 1 Vladis Dronov 2017-07-12 08:04 EDT
Created attachment 1296934 [details]
dmesg-slub-debug.txt
Comment 6 Vladis Dronov 2017-07-14 11:11:58 EDT
Statement:

This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6, 7.0 and 7.1 as the code with the flaw is not present in the products listed.

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 7.2 and newer and Red Hat Enterprise MRG 2. Future kernel updates for these products may address this issue.
Comment 7 Vladis Dronov 2017-07-14 11:13:15 EDT
Acknowledgments:

Name: Leilei Lin (Alibaba Group), Fan Wu (The University of Hong Kong), Shixiong Zhao (The University of Hong Kong)
Comment 8 Vladis Dronov 2017-08-03 10:33:51 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1478086]
Comment 11 errata-xmlrpc 2017-08-15 07:46:16 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2473 https://access.redhat.com/errata/RHSA-2017:2473
Comment 13 errata-xmlrpc 2017-09-05 07:31:34 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2585 https://access.redhat.com/errata/RHSA-2017:2585
Comment 14 errata-xmlrpc 2017-09-06 16:43:19 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2669 https://access.redhat.com/errata/RHSA-2017:2669
Comment 15 errata-xmlrpc 2017-09-19 12:12:03 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:2770 https://access.redhat.com/errata/RHSA-2017:2770
Comment 16 errata-xmlrpc 2017-10-10 08:46:39 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:2869 https://access.redhat.com/errata/RHSA-2017:2869

Note You need to log in before you can comment on or make changes to this bug.