A flaw was found in Linux kernel ext4 filesystem. A local user can cause an out-of-bound write and so a denial of service or possibly unspecified other impact by mounting and operating a crafted ext4 filesystem image. References: https://bugzilla.kernel.org/show_bug.cgi?id=199865 Upstream patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=819b23f1c501b17b9694325471789e6b5cc2d0d2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=77260807d1170a8cf35dbb06e07461a655f67eee
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1596803]
This is fixed for Fedora with the 4.17.6 stable kernel update
Notes: While the flaw reproducer works when run as a privileged user (the "root"), this requires a mount of a certain filesystem image. An unprivileged attacker cannot do this even from a user+mount namespace: $ unshare -U -r -m # mount -t ext4 fs.img mnt/ mount: mnt/: mount failed: Operation not permitted. The article https://lwn.net/Articles/652468/ discusses unprivileged user mounts and hostile filesystem images: > ... for the most part, the mount() system call is denied to processes running > within user namespaces, even if they are privileged in their namespaces. It also states that unprivileged filesystem mounts are not allowed as of now in the Linux kernel and probably won't be allowed in a future. Until that such flaws are considered as not exploitable: > There were no proposals for solutions to the hostile-filesystem problem. > But, in the absence of some sort of assurance that they can be made safe, > unprivileged filesystem mounts are unlikely to gain acceptance; even if the > feature gets into the kernel, distributions would be likely to disable it. On the other hand, there is a potential possibility that still an attacker can trick a regular user to mount a malicious filesystem image, like trick him to insert an usb-flash-drive with a forged filesystem to a desktop system which will auto-mount it. In case this results only in a system crash (a DoS due to, for example, a NULL pointer dereference) the flaw impact is low but it still exists. In case of a flaw which results in a privilege escalation the flaw's impact is higher. So the Red Hat would still consider bugs which require mounting a filesystem image to exploit as security flaws, though with Low severity.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3083 https://access.redhat.com/errata/RHSA-2018:3083
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3096 https://access.redhat.com/errata/RHSA-2018:3096
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2948 https://access.redhat.com/errata/RHSA-2018:2948