Bug 1874800 (CVE-2020-14385) - CVE-2020-14385 kernel: metadata validator in XFS may cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt
Summary: CVE-2020-14385 kernel: metadata validator in XFS may cause an inode with a va...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14385
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1874811 1875316 1875317 1875319 1875320 1881083 1881084 1881085 1881086 1881087 1881088 1881089 1881090 1881091 1881092 1881093 1881094 1881095 1881096 1881098 1881099 1881100 1881101 1881102 1881104 1881105 1881106 1881338 1881339 1881340 1881410 1881412 1881413 1881414 1881416
Blocks: 1872883
TreeView+ depends on / blocked
 
Reported: 2020-09-02 09:35 UTC by Alex
Modified: 2023-12-15 19:08 UTC (History)
59 users (show)

Fixed In Version: Linux kernel 5.9-rc4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-10-20 14:21:19 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:0138 0 None None None 2021-01-14 11:41:32 UTC
Red Hat Product Errata RHSA-2020:4286 0 None None None 2020-10-20 08:47:58 UTC
Red Hat Product Errata RHSA-2020:4287 0 None None None 2020-10-20 08:38:42 UTC
Red Hat Product Errata RHSA-2020:4289 0 None None None 2020-10-20 09:00:07 UTC
Red Hat Product Errata RHSA-2020:4331 0 None None None 2020-10-26 11:19:06 UTC
Red Hat Product Errata RHSA-2020:4332 0 None None None 2020-10-26 11:14:37 UTC
Red Hat Product Errata RHSA-2020:5050 0 None None None 2020-11-10 13:18:24 UTC
Red Hat Product Errata RHSA-2020:5199 0 None None None 2020-11-24 10:04:19 UTC
Red Hat Product Errata RHSA-2020:5437 0 None None None 2020-12-15 11:12:15 UTC
Red Hat Product Errata RHSA-2020:5441 0 None None None 2020-12-15 11:17:14 UTC

Description Alex 2020-09-02 09:35:15 UTC
There is a flaw in the Linux Kernel file system metadata validator in XFS which may cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt, which will shut down the filesystem and render it inaccessible until it is remounted.  To trigger this flaw, a specific extended attribute name/value pair must be created.
It is possible that after this fail and before reboot would not work mount for other partitions (but still work well until reboot other already mounted partitions and new mount from image file should work too).

This is a user-triggerable denial of service.

A patch to fix the issue:
https://lore.kernel.org/linux-xfs/63722af5-2d8d-2455-17ee-988defd3126f@redhat.com/

Comment 1 Alex 2020-09-02 09:35:23 UTC
Acknowledgments:

Name: Dr. David Alan Gilbert (redhat.com)

Comment 2 Alex 2020-09-02 10:06:20 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1874811]

Comment 3 Alex 2020-09-02 10:06:51 UTC
This flaw was introduced in kernel 4.16, with commit

1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs")

Comment 4 Alex 2020-09-02 10:18:53 UTC
For rhel7 still relevant (even kernel 3.10 lower than 4.16), because of this commit:

176cad912b2b fs/xfs/libxfs/xfs_attr_leaf.c (Carlos Maiolino   2019-07-10 09:40:03 -0400  927)           if (((char *)sfep + sizeof(*sfep)) >= endp)

Comment 22 Fedora Update System 2020-09-07 17:14:14 UTC
FEDORA-2020-708b23f2ce has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 25 Eric Christensen 2020-09-09 17:48:16 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Comment 26 Dr. David Alan Gilbert 2020-09-09 17:52:10 UTC
(In reply to Eric Christensen from comment #24)
> Statement:
> 
> Because only a local user can trigger this flaw, the impact has been reduced
> to Moderate.

Note that 'local' can include an unpriviliged user in an openshift container.

Comment 40 Petr Matousek 2020-09-22 11:29:53 UTC
Statement:

Only local users, including unprivileged users in a cointainer, can trigger this flaw. However, the impact could be high, especially on multi-tenant systems, because after the attack the system rendered inaccessible for some time (at least until reboot), so the impact has been increased to Important.

Comment 60 errata-xmlrpc 2020-10-20 08:38:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:4287 https://access.redhat.com/errata/RHSA-2020:4287

Comment 61 errata-xmlrpc 2020-10-20 08:48:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4286 https://access.redhat.com/errata/RHSA-2020:4286

Comment 62 errata-xmlrpc 2020-10-20 08:59:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4289 https://access.redhat.com/errata/RHSA-2020:4289

Comment 63 Product Security DevOps Team 2020-10-20 14:21:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14385

Comment 70 errata-xmlrpc 2020-10-26 11:14:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:4332 https://access.redhat.com/errata/RHSA-2020:4332

Comment 71 errata-xmlrpc 2020-10-26 11:18:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4331 https://access.redhat.com/errata/RHSA-2020:4331

Comment 74 errata-xmlrpc 2020-11-10 13:18:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5050 https://access.redhat.com/errata/RHSA-2020:5050

Comment 78 errata-xmlrpc 2020-11-24 10:04:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:5199 https://access.redhat.com/errata/RHSA-2020:5199

Comment 79 errata-xmlrpc 2020-12-15 11:12:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5437 https://access.redhat.com/errata/RHSA-2020:5437

Comment 80 errata-xmlrpc 2020-12-15 11:16:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5441 https://access.redhat.com/errata/RHSA-2020:5441


Note You need to log in before you can comment on or make changes to this bug.