2015046 – (CVE-2021-3864) CVE-2021-3864 kernel: descendant's dumpable setting with certain SUID binaries

Bug 2015046 (CVE-2021-3864) - CVE-2021-3864 kernel: descendant's dumpable setting with certain SUID binaries

Summary: CVE-2021-3864 kernel: descendant's dumpable setting with certain SUID binaries

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-3864
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Red Hat2015893 Red Hat2015894 Red Hat2015895 Red Hat2015896 Red Hat2015897 Red Hat2015898 Red Hat2015899 Red Hat2015900 Red Hat2015901 Red Hat2015902 Red Hat2015982 Red Hat2015983 Red Hat2015984 Red Hat2015985 Red Hat2015986 2015987
Blocks:	Embargoed2010280
TreeView+	depends on / blocked

Reported:	2021-10-18 09:31 UTC by Petr Matousek
Modified:	2023-05-12 19:42 UTC (History)
CC List:	54 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges.
Clone Of:
Environment:
Last Closed:	2022-06-13 14:55:08 UTC

Attachments	(Terms of Use)

Description Petr Matousek 2021-10-18 09:31:26 UTC

A flaw was found in the way dumpable flag setting was handled when certain SUID binaries executed it's descendants. The prerequisite is a SUID binary that sets real uid equal to effective uid, and real gid equal to effective gid. Then the descendant will have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, it's core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root suid binary could use this flaw to place core dumps into root owned directories potentially resulting in escalation of privileges.

Reference:
https://www.openwall.com/lists/oss-security/2021/10/20/2

Comment 6 Petr Matousek 2021-10-20 14:38:13 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2015987]

Comment 11 Wander 2021-12-28 17:17:39 UTC

I proposed a patch in upstream for this bug https://lore.kernel.org/lkml/20211228170910.623156-1-wander@redhat.com/T/#t

Note You need to log in before you can comment on or make changes to this bug.

acaringi
adscvr
agladkov
airlied
alciregi
asavkov
bhu
brdeoliv
bskeggs
chwhite
ctoe
dbohanno
dhoward
dvlasenk
ebiederm
fhrbata
hdegoede
hkrzesin
jarod
jarodwilson
jburrell
jeremy
jforbes
jglisse
jlelli
joe.lawrence
jonathan
josef
jpoimboe
jshortt
jstancek
jthierry
jwboyer
kcarcia
kernel-maint
kernel-mgr
kpatch-maint
lgoncalv
linville
masami256
mchehab
nmurray
ptalbert
qzhao
rhandlin
rvrbovsk
security-response-team
steved
swood
vkumar
walters
wcosta
williams
ycote