Bug 1641548 (CVE-2018-18397) - CVE-2018-18397 kernel: userfaultfd bypasses tmpfs file permissions
Summary: CVE-2018-18397 kernel: userfaultfd bypasses tmpfs file permissions
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-18397
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1640515 (view as bug list)
Depends On: 1640516 1640517 1640518 1640519 1657613 1657614 1657615 1657616 1658740
Blocks: 1640512
TreeView+ depends on / blocked
 
Reported: 2018-10-22 08:12 UTC by Wade Mealing
Modified: 2021-02-16 22:53 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel with files on tmpfs and hugetlbfs. An attacker is able to bypass file permissions on filesystems mounted with tmpfs/hugetlbs to modify a file and possibly disrupt normal system behavior. At this time there is an understanding there is no crash or privilege escalation but the impact of modifications on these filesystems of files in production systems may have adverse affects.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:40:46 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0163 0 None None None 2019-01-29 17:23:47 UTC
Red Hat Product Errata RHSA-2019:0202 0 None None None 2019-01-29 16:07:02 UTC
Red Hat Product Errata RHSA-2019:0324 0 None None None 2019-02-12 15:28:08 UTC
Red Hat Product Errata RHSA-2019:0831 0 None None None 2019-04-23 14:30:29 UTC

Description Wade Mealing 2018-10-22 08:12:38 UTC 
A flaw was found in the Linux kernel with files on tmpfs and hugetlbfs.  An attacker is able to bypass file permissions on filesystems mounted with tmpfs/hugetlbs to modify a file and possibly disrupt normal system behaviour.

At this time there is an understanding there is no crash or priviledge escalation but the impact of modifications on these filesystems of files in production systems may have adverse affects.

A suggested upstream patch:

https://lore.kernel.org/lkml/20181126173452.26955-1-aarcange@redhat.com/T/#u

An upstream patchset:

9e368259ad988356c4c95150fafd1a06af095d98 userfaultfd: use ENOENT instead of EFAULT if the atomic copy user fails
5b51072e97d587186c2f5390c8c9c1fb7e179505 userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem
29ec90660d68bbdd69507c1c8b4e33aa299278b1 userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
e2a50c1f64145a04959df2442305d57307e5395a userfaultfd: shmem: add i_size checks
dcf7fe9d89763a28e0f43975b422ff141fe79e43 userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not set
Comment 3 Petr Matousek 2018-11-27 10:27:56 UTC 
*** Bug 1640515 has been marked as a duplicate of this bug. ***
Comment 6 Vladis Dronov 2018-12-12 18:56:13 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1658740]
Comment 7 errata-xmlrpc 2019-01-29 16:07:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:0202 https://access.redhat.com/errata/RHSA-2019:0202
Comment 8 errata-xmlrpc 2019-01-29 17:23:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0163 https://access.redhat.com/errata/RHSA-2019:0163
Comment 9 errata-xmlrpc 2019-02-12 15:28:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:0324 https://access.redhat.com/errata/RHSA-2019:0324
Comment 10 errata-xmlrpc 2019-04-23 14:30:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:0831 https://access.redhat.com/errata/RHSA-2019:0831
Note You need to log in before you can comment on or make changes to this bug.