There is a flaw in the Linux Kernel file system metadata validator in XFS which may cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt, which will shut down the filesystem and render it inaccessible until it is remounted. To trigger this flaw, a specific extended attribute name/value pair must be created. It is possible that after this fail and before reboot would not work mount for other partitions (but still work well until reboot other already mounted partitions and new mount from image file should work too). This is a user-triggerable denial of service. A patch to fix the issue: https://lore.kernel.org/linux-xfs/63722af5-2d8d-2455-17ee-988defd3126f@redhat.com/
Acknowledgments: Name: Dr. David Alan Gilbert (redhat.com)
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1874811]
This flaw was introduced in kernel 4.16, with commit 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs")
For rhel7 still relevant (even kernel 3.10 lower than 4.16), because of this commit: 176cad912b2b fs/xfs/libxfs/xfs_attr_leaf.c (Carlos Maiolino 2019-07-10 09:40:03 -0400 927) if (((char *)sfep + sizeof(*sfep)) >= endp)
FEDORA-2020-708b23f2ce has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
(In reply to Eric Christensen from comment #24) > Statement: > > Because only a local user can trigger this flaw, the impact has been reduced > to Moderate. Note that 'local' can include an unpriviliged user in an openshift container.
Upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4020438fab05364018c91f7e02ebdd192085933
External References: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f4020438fab05364018c91f7e02ebdd192085933
Statement: Only local users, including unprivileged users in a cointainer, can trigger this flaw. However, the impact could be high, especially on multi-tenant systems, because after the attack the system rendered inaccessible for some time (at least until reboot), so the impact has been increased to Important.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:4287 https://access.redhat.com/errata/RHSA-2020:4287
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4286 https://access.redhat.com/errata/RHSA-2020:4286
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4289 https://access.redhat.com/errata/RHSA-2020:4289
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14385
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:4332 https://access.redhat.com/errata/RHSA-2020:4332
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4331 https://access.redhat.com/errata/RHSA-2020:4331
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5050 https://access.redhat.com/errata/RHSA-2020:5050
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:5199 https://access.redhat.com/errata/RHSA-2020:5199
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5437 https://access.redhat.com/errata/RHSA-2020:5437
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5441 https://access.redhat.com/errata/RHSA-2020:5441