Bug 1874800 (CVE-2020-14385) - CVE-2020-14385 kernel: metadata validator in XFS may cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt
Summary: CVE-2020-14385 kernel: metadata validator in XFS may cause an inode with a va...
Keywords:
Status: NEW
Alias: CVE-2020-14385
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1874811 1875316 1875317 1875319 1875320 1881083 1881084 1881085 1881105 1881338 1881339 1881340 1881413 1881414 1881416 1881086 1881087 1881088 1881089 1881090 1881091 1881092 1881093 1881094 1881095 1881096 1881098 1881099 1881100 1881101 1881102 1881104 1881106 1881410 1881412
Blocks: 1872883
TreeView+ depends on / blocked
 
Reported: 2020-09-02 09:35 UTC by Alex
Modified: 2020-09-22 11:29 UTC (History)
58 users (show)

Fixed In Version: Linux kernel 5.9-rc4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Alex 2020-09-02 09:35:15 UTC
There is a flaw in the Linux Kernel file system metadata validator in XFS which may cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt, which will shut down the filesystem and render it inaccessible until it is remounted.  To trigger this flaw, a specific extended attribute name/value pair must be created.
It is possible that after this fail and before reboot would not work mount for other partitions (but still work well until reboot other already mounted partitions and new mount from image file should work too).

This is a user-triggerable denial of service.

A patch to fix the issue:
https://lore.kernel.org/linux-xfs/63722af5-2d8d-2455-17ee-988defd3126f@redhat.com/

Comment 1 Alex 2020-09-02 09:35:23 UTC
Acknowledgments:

Name: Dr. David Alan Gilbert (redhat.com)

Comment 2 Alex 2020-09-02 10:06:20 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1874811]

Comment 3 Alex 2020-09-02 10:06:51 UTC
This flaw was introduced in kernel 4.16, with commit

1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs")

Comment 4 Alex 2020-09-02 10:18:53 UTC
For rhel7 still relevant (even kernel 3.10 lower than 4.16), because of this commit:

176cad912b2b fs/xfs/libxfs/xfs_attr_leaf.c (Carlos Maiolino   2019-07-10 09:40:03 -0400  927)           if (((char *)sfep + sizeof(*sfep)) >= endp)

Comment 22 Fedora Update System 2020-09-07 17:14:14 UTC
FEDORA-2020-708b23f2ce has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 25 Eric Christensen 2020-09-09 17:48:16 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Comment 26 Dr. David Alan Gilbert 2020-09-09 17:52:10 UTC
(In reply to Eric Christensen from comment #24)
> Statement:
> 
> Because only a local user can trigger this flaw, the impact has been reduced
> to Moderate.

Note that 'local' can include an unpriviliged user in an openshift container.

Comment 40 Petr Matousek 2020-09-22 11:29:53 UTC
Statement:

Only local users, including unprivileged users in a cointainer, can trigger this flaw. However, the impact could be high, especially on multi-tenant systems, because after the attack the system rendered inaccessible for some time (at least until reboot), so the impact has been increased to Important.


Note You need to log in before you can comment on or make changes to this bug.