Bug 446057 - kernel: 2.6.22->2.6.25.2 - utimensat() file time modification bypass vulnerability
kernel: 2.6.22->2.6.25.2 - utimensat() file time modification bypass vulnerab...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20080501,reported=20080501,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-12 09:48 EDT by Jan Lieskovsky
Modified: 2010-03-22 11:39 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-22 11:39:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2008-05-12 09:48:47 EDT
Description of problem:

If utimensat() is called with both times set to UTIME_NOW or one of them to
UTIME_NOW and the other to UTIME_OMIT, then it will update the file time
without any permission checking.

I don't think this can be used for anything other than a local DoS, but could
be quite bewildering at that (e.g.  "Why was that large source tree rebuilt
when I didn't modify anything???")

This affects all kernels from 2.6.22, when the utimensat() syscall was
introduced.

Fix by doing the same permission checking as for the "times == NULL" case.

Thanks to Michael Kerrisk, whose utimensat-non-conformances-and-fixes.patch in
-mm also fixes this (and breaks other stuff), only he didn't realize the
security implications of this bug.

Version-Release number of selected component (if applicable):
2.6.22->2.6.25.2

Additional info:

This issue doesn't affect RHEL kernels as the utimensat() system call
is not yet present in 2.6.18 version of the Linux kernel (filling only
against Fedora kernels).

Proposed upstream patch:

http://git.kernel.org/?p=linux/kernel/git/stable/stable-queue.git;a=blob;f=review-2.6.25/vfs-fix-permission-checking-in-sys_utimensat.patch;h=1da0b9bf9f078e3eb147a6799e5a74af2484014a;hb=cbe22288b271b4e4e51f5573281662f53466e41a

Note You need to log in before you can comment on or make changes to this bug.