Bug 1468283 (CVE-2017-7533) - CVE-2017-7533 kernel: a race between inotify_handle_event() and sys_rename()
Summary: CVE-2017-7533 kernel: a race between inotify_handle_event() and sys_rename()
Status: CLOSED ERRATA
Alias: CVE-2017-7533
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20170803,repo...
Keywords: Security
Depends On: 1470403 1471130 1471131 1471132 1471133 1477764 1477766 1477767 1478086 1478096 1478097 1478098 1478099 1478100
Blocks: 1468288
TreeView+ depends on / blocked
 
Reported: 2017-07-06 14:55 UTC by Pedro Sampaio
Modified: 2019-06-11 11:13 UTC (History)
20 users (show)

(edit)
A race condition was found in the Linux kernel, present since v3.14-rc1 through v4.12. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the next slab data or the slab's free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation.
Clone Of:
(edit)
Last Closed: 2019-06-08 03:16:04 UTC


Attachments (Terms of Use)
dmesg-slub-debug.txt (44.53 KB, text/plain)
2017-07-12 12:04 UTC, Vladis Dronov
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2473 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-08-15 15:45:10 UTC
Red Hat Product Errata RHSA-2017:2585 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-09-05 15:19:20 UTC
Red Hat Product Errata RHSA-2017:2669 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2017-09-07 00:36:52 UTC
Red Hat Product Errata RHSA-2017:2770 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-09-19 20:09:07 UTC
Red Hat Product Errata RHSA-2017:2869 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-10-10 16:45:24 UTC

Description Pedro Sampaio 2017-07-06 14:55:10 UTC
A race condition was found in Linux kernel present since v3.14-rc1 upto v4.12 including. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the the next slab data or the slab's free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation.

The researchers of this flaw are Leilei Lin from Alibaba Group and Fan Wu and Shixiong Zhao from a research group supervised by Dr. Heming Cui of the Department of Computer Science, The University of Hong Kong. Thanks to Rui Gu and Prof.Junfeng Yang from Columbia University for tools and suggestions.

References:

http://seclists.org/oss-sec/2017/q3/240

https://access.redhat.com/security/vulnerabilities/3112931

https://patchwork.kernel.org/patch/9755753/

https://patchwork.kernel.org/patch/9755757/

https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1408967.html

https://bugzilla.kernel.org/show_bug.cgi?id=196279 (restricted access)

Upstream patch: 49d31c2f389a

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=49d31c2f389acfe83417083e1208422b4091cd9

Comment 1 Vladis Dronov 2017-07-12 12:04 UTC
Created attachment 1296934 [details]
dmesg-slub-debug.txt

Comment 6 Vladis Dronov 2017-07-14 15:11:58 UTC
Statement:

This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6, 7.0 and 7.1 as the code with the flaw is not present in the products listed.

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 7.2 and newer and Red Hat Enterprise MRG 2. Future kernel updates for these products may address this issue.

Comment 8 Vladis Dronov 2017-08-03 14:33:51 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1478086]

Comment 11 errata-xmlrpc 2017-08-15 11:46:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2473 https://access.redhat.com/errata/RHSA-2017:2473

Comment 13 errata-xmlrpc 2017-09-05 11:31:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2585 https://access.redhat.com/errata/RHSA-2017:2585

Comment 14 errata-xmlrpc 2017-09-06 20:43:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2669 https://access.redhat.com/errata/RHSA-2017:2669

Comment 15 errata-xmlrpc 2017-09-19 16:12:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:2770 https://access.redhat.com/errata/RHSA-2017:2770

Comment 16 errata-xmlrpc 2017-10-10 12:46:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:2869 https://access.redhat.com/errata/RHSA-2017:2869

Comment 18 Pedro Sampaio 2018-06-11 17:22:38 UTC
Acknowledgments:

Name: Leilei Lin (Alibaba Group), Fan Wu (The University of Hong Kong), Shixiong Zhao (The University of Hong Kong), Shankara Pailoor (Columbia University), Andrew Aday (Columbia University)


Note You need to log in before you can comment on or make changes to this bug.