Bug 446057 - kernel: 2.6.22-> - utimensat() file time modification bypass vulnerability
kernel: 2.6.22-> - utimensat() file time modification bypass vulnerab...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2008-05-12 09:48 EDT by Jan Lieskovsky
Modified: 2010-03-22 11:39 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-03-22 11:39:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2008-05-12 09:48:47 EDT
Description of problem:

If utimensat() is called with both times set to UTIME_NOW or one of them to
UTIME_NOW and the other to UTIME_OMIT, then it will update the file time
without any permission checking.

I don't think this can be used for anything other than a local DoS, but could
be quite bewildering at that (e.g.  "Why was that large source tree rebuilt
when I didn't modify anything???")

This affects all kernels from 2.6.22, when the utimensat() syscall was

Fix by doing the same permission checking as for the "times == NULL" case.

Thanks to Michael Kerrisk, whose utimensat-non-conformances-and-fixes.patch in
-mm also fixes this (and breaks other stuff), only he didn't realize the
security implications of this bug.

Version-Release number of selected component (if applicable):

Additional info:

This issue doesn't affect RHEL kernels as the utimensat() system call
is not yet present in 2.6.18 version of the Linux kernel (filling only
against Fedora kernels).

Proposed upstream patch:


Note You need to log in before you can comment on or make changes to this bug.