Bug 2027239 (CVE-2021-4037) - CVE-2021-4037 kernel: security regression for CVE-2018-13405
Summary: CVE-2021-4037 kernel: security regression for CVE-2018-13405
Keywords:
Status: NEW
Alias: CVE-2021-4037
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2059652 2068408 2004810 2027441 2027442 2027443 2027677 2059653 2068409
Blocks: 2027954 2018945
TreeView+ depends on / blocked
 
Reported: 2021-11-29 07:51 UTC by Marian Rehak
Modified: 2022-05-19 05:11 UTC (History)
46 users (show)

Fixed In Version: Linux kernel 5.11-rc1
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that allows local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not. This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:2229 0 None None None 2022-05-12 11:26:58 UTC
Red Hat Product Errata RHBA-2022:4630 0 None None None 2022-05-18 11:46:43 UTC
Red Hat Product Errata RHBA-2022:4693 0 None None None 2022-05-19 05:11:08 UTC
Red Hat Product Errata RHSA-2022:1975 0 None None None 2022-05-10 14:40:23 UTC
Red Hat Product Errata RHSA-2022:1988 0 None None None 2022-05-10 14:46:24 UTC

Description Marian Rehak 2021-11-29 07:51:29 UTC
A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the Linux kernel that allows local users to create files for the XFS file-system with unintended group ownership and with group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a certain group and is writable by a user who is not a member of this group. This can lead to excessive permissions granted in case when they should not.  This vulnerability is similar to the previous CVE-2018-13405 and adds the missed fix for the XFS.

Reference:

https://bugzilla.redhat.com/show_bug.cgi?id=2004810

Comment 3 Alex 2021-11-30 12:32:08 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2027677]

Comment 8 Justin M. Forbes 2021-12-01 12:51:01 UTC
This was fixed in the 5.11 series kernel rebases for Fedora.

Comment 9 Salvatore Bonaccorso 2021-12-02 06:54:07 UTC
Hi

(In reply to Marian Rehak from comment #0)
> Patch for CVE-2018-13405 was insufficient because it does not cover XFS, XFS
> always inherits the SGID bit by not using generic inode_init_owner() when
> creating files inside a setgid directory.
> 
> Reference:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=2004810

Would it be possible to open up the restricted bug? From a quick research
it looks that the needed commit is

https://git.kernel.org/linus/01ea173e103edd5ec41acec65b9261b87e123fc2

commit 01ea173e103edd5ec41acec65b9261b87e123fc2
Author: Christoph Hellwig <hch@lst.de>
Date:   Fri Jan 22 16:48:18 2021 -0800

    xfs: fix up non-directory creation in SGID directories
    
    XFS always inherits the SGID bit if it is set on the parent inode, while
    the generic inode_init_owner does not do this in a few cases where it can
    create a possible security problem, see commit 0fa3ecd87848
    ("Fix up non-directory creation in SGID directories") for details.
    
    Switch XFS to use the generic helper for the normal path to fix this,
    just keeping the simple field inheritance open coded for the case of the
    non-sgid case with the bsdgrpid mount option.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: Christian Brauner <christian.brauner@ubuntu.com>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: Darrick J. Wong <djwong@kernel.org>
    Signed-off-by: Darrick J. Wong <djwong@kernel.org>

It as well refers explicitly to 0fa3ecd87848 which was the fix for
CVE-2018-13405. 

The above commit landed in 5.12-rc1 (so I guess if you can confirm it is
what is intendend) the above information on 5.11-rc1 needs to be corrected.

Is the above correct?

Comment 10 Alex 2021-12-02 09:55:39 UTC
In reply to comment #9:
> Hi
> 
> (In reply to Marian Rehak from comment #0)
> > Patch for CVE-2018-13405 was insufficient because it does not cover XFS, XFS
> > always inherits the SGID bit by not using generic inode_init_owner() when
> > creating files inside a setgid directory.
> > 
> > Reference:
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=2004810
> 
> Would it be possible to open up the restricted bug? From a quick research
> it looks that the needed commit is
> 
> https://git.kernel.org/linus/01ea173e103edd5ec41acec65b9261b87e123fc2
> 
> commit 01ea173e103edd5ec41acec65b9261b87e123fc2
> Author: Christoph Hellwig <hch@lst.de>
> Date:   Fri Jan 22 16:48:18 2021 -0800
> 
>     xfs: fix up non-directory creation in SGID directories
>     
>     XFS always inherits the SGID bit if it is set on the parent inode, while
>     the generic inode_init_owner does not do this in a few cases where it can
>     create a possible security problem, see commit 0fa3ecd87848
>     ("Fix up non-directory creation in SGID directories") for details.
>     
>     Switch XFS to use the generic helper for the normal path to fix this,
>     just keeping the simple field inheritance open coded for the case of the
>     non-sgid case with the bsdgrpid mount option.
>     
>     Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>     Reported-by: Christian Brauner <christian.brauner@ubuntu.com>
>     Signed-off-by: Christoph Hellwig <hch@lst.de>
>     Reviewed-by: Darrick J. Wong <djwong@kernel.org>
>     Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> 
> It as well refers explicitly to 0fa3ecd87848 which was the fix for
> CVE-2018-13405. 
> 
> The above commit landed in 5.12-rc1 (so I guess if you can confirm it is
> what is intendend) the above information on 5.11-rc1 needs to be corrected.
> 
> Is the above correct?

I added "redhat" to the viewers of the bug, can you open it now?

Regarding the patch, I think these two:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01ea173e103e
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848
, so yes "01ea173e103edd5ec41acec65b9261b87e123fc2".

Also, try to check (by name since id different from upstream) if any of these actual:
List of commits available on kernel-4.18.0-348.6.el8 (1/1):
Related commit: 4dd87eb1cb9a ("Merge: xfs: fix up non-directory creation in SGID directories")
Related commit: 3ff97d12b58d ("xfs: fix up non-directory creation in SGID directories")
Related commit: adac708bdeee ("xfs: kill ialloced in xfs_dialloc()")
Related commit: 5b4938f6059b ("xfs: spilt xfs_dialloc() into 2 functions")
Related commit: 05fdea9ecdb2 ("xfs: move xfs_dialloc_roll() into xfs_dialloc()")
Related commit: abfd8d60ca5a ("xfs: move on-disk inode allocation out of xfs_ialloc()")
Related commit: 11615b1bc7d6 ("xfs: introduce xfs_dialloc_roll()")
Related commit: 5c67cccb597d ("xfs: convert noroom, okalloc in xfs_dialloc() to bool")
Related commit: 21ee99e20bbc ("xfs: check tp->t_dqinfo value instead of the XFS_TRANS_DQ_DIRTY flag")

Comment 15 errata-xmlrpc 2022-05-10 14:40:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1975 https://access.redhat.com/errata/RHSA-2022:1975

Comment 16 errata-xmlrpc 2022-05-10 14:46:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1988 https://access.redhat.com/errata/RHSA-2022:1988


Note You need to log in before you can comment on or make changes to this bug.