Bug 1596846 (CVE-2018-10883) - CVE-2018-10883 kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function
Summary: CVE-2018-10883 kernel: stack-out-of-bounds write in jbd2_journal_dirty_metada...
Status: NEW
Alias: CVE-2018-10883
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20180614,reported=2...
Keywords: Security
Depends On: 1609761 1596847 1596849 1609759 1609760 1609762
Blocks: 1596848
TreeView+ depends on / blocked
 
Reported: 2018-06-29 19:14 UTC by Laura Pardo
Modified: 2019-02-08 14:56 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2948 None None None 2018-10-30 09:03 UTC
Red Hat Product Errata RHSA-2018:3083 None None None 2018-10-30 07:35 UTC
Red Hat Product Errata RHSA-2018:3096 None None None 2018-10-30 07:41 UTC

Description Laura Pardo 2018-06-29 19:14:56 UTC
A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image.

References:

https://bugzilla.kernel.org/show_bug.cgi?id=200071

Upstream patches:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8bc1379b82b8e809eef77a9fedbb75c6c297be19

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e09463f220ca9a1a1ecfda84fcda658f99a1f12a

Comment 1 Laura Pardo 2018-06-29 19:16:05 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1596847]

Comment 3 Jason Shepherd 2018-07-05 00:24:02 UTC
An openshift-online user cannot supply an image for mounting.

Comment 4 Justin M. Forbes 2018-07-16 14:42:26 UTC
This is fixed for Fedora with the 4.17.6 stable kernel update

Comment 8 Vladis Dronov 2018-07-30 12:02:44 UTC
Notes:

While the flaw reproducer works when run as a privileged user (the "root"), this requires a mount of a certain filesystem image. An unprivileged attacker cannot do this even from a user+mount namespace:

$ unshare -U -r -m
# mount -t ext4 fs.img mnt/
mount: mnt/: mount failed: Operation not permitted.

The article https://lwn.net/Articles/652468/ discusses unprivileged user mounts and hostile filesystem images:
 
> ... for the most part, the mount() system call is denied to processes running
> within user namespaces, even if they are privileged in their namespaces.

It also states that unprivileged filesystem mounts are not allowed as of now in the Linux kernel and probably won't be allowed in a future. Until that such flaws are considered as not exploitable:

> There were no proposals for solutions to the hostile-filesystem problem.
> But, in the absence of some sort of assurance that they can be made safe,
> unprivileged filesystem mounts are unlikely to gain acceptance; even if the
> feature gets into the kernel, distributions would be likely to disable it.

On the other hand, there is a potential possibility that still an attacker can trick a regular user to mount a malicious filesystem image, like trick him to insert an usb-flash-drive with a forged filesystem to a desktop system which will auto-mount it. In case this results only in a system crash (a DoS due to, for example, a NULL pointer dereference) the flaw impact is low but it still exists. In case of a flaw which results in a privilege escalation the flaw's impact is higher.

So the Red Hat would still consider bugs which require mounting a filesystem image to exploit as security flaws, though with Low severity.

Comment 9 errata-xmlrpc 2018-10-30 07:34:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3083 https://access.redhat.com/errata/RHSA-2018:3083

Comment 10 errata-xmlrpc 2018-10-30 07:41:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:3096 https://access.redhat.com/errata/RHSA-2018:3096

Comment 11 errata-xmlrpc 2018-10-30 09:03:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948


Note You need to log in before you can comment on or make changes to this bug.