Bug 1953022 (CVE-2021-3543) - CVE-2021-3543 kernel: nitro_enclaves stale file descriptors on failed usercopy
Summary: CVE-2021-3543 kernel: nitro_enclaves stale file descriptors on failed usercopy
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3543
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1953717 1953718 1953719 1955580 1956379 1956380
Blocks: 1952029 1958957
TreeView+ depends on / blocked
 
Reported: 2021-04-23 18:21 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:19 UTC (History)
47 users (show)

Fixed In Version: kernel 4.18.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw null pointer dereference in the Nitro Enclaves kernel driver was found in the way that Enclaves VMs forces closures on the enclave file descriptor. A local user of a host machine could use this flaw to crash the system or escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2021-06-01 11:32:11 UTC
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-04-23 18:21:24 UTC
A failing usercopy of the slot uid will lead to a stale entry in the
file descriptor table as put_unused_fd() won't release it. This enables
userland to refer to a dangling 'file' object through that still valid
file descriptor, leading to all kinds of use-after-free exploitation
scenarios.

Exchanging put_unused_fd() for close_fd(), ksys_close() or alike won't
solve the underlying issue, as the file descriptor might have been
replaced in the meantime, e.g. via userland calling close() on it
(leading to a NULL pointer dereference in the error handling code as
'fget(enclave_fd)' will return a NULL pointer) or by dup2()'ing a
completely different file object to that very file descriptor, leading
to the same situation: a dangling file descriptor pointing to a freed
object -- just in this case to a file object of user's choosing.

Generally speaking, after the call to fd_install() the file descriptor
is live and userland is free to do whatever with it. We cannot rely on
it to still refer to our enclave object afterwards. In fact, by abusing
userfaultfd() userland can hit the condition without any racing and
abuse the error handling in the nitro code as it pleases.

Comment 5 Guilherme de Almeida Suckevicz 2021-04-30 12:43:24 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1955580]

Comment 9 Alex 2021-05-03 15:59:46 UTC
Statement:

This flaw is rated as having a Moderate impact because in the default configuration, the issue can only be triggered by a privileged local user (with access to the ne group if this user manages Enclaves VMs).

Comment 22 errata-xmlrpc 2021-06-01 09:43:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2169 https://access.redhat.com/errata/RHSA-2021:2169

Comment 23 errata-xmlrpc 2021-06-01 11:04:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2168 https://access.redhat.com/errata/RHSA-2021:2168

Comment 24 Product Security DevOps Team 2021-06-01 11:32:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3543


Note You need to log in before you can comment on or make changes to this bug.