Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 24 Jan 2015 09:59:03 -0500 (EST)
Subject: Re: CVE Request: Linux kernel - Denial of service in notify_change for xattrs.

Hash: SHA1

> [wmealing]$ chown root:root /usr/bin/ping
> chown: changing ownership of '/usr/bin/ping': Operation not permitted
> [wmealing]$ ping
> ping: icmp open socket: Operation not permitted
> This can cause a denial of service for applications which use the
> capabilities subsystem such as pirahnah (arping), netconsole (arping),
> some kdump implementations, etc.

>> Currently we call security_inode_killpriv() in notify_change(),
>> but in case of a chown() this is too early - we have not called
>> inode_change_ok() or made any filesystem-specific permission/sanity
>> checks.

>> + * setattr_killpriv - remove extended privilege attributes from a file
>> + * @dentry: Directory entry passed to the setattr operation
>> + * @iattr: New attributes pased to the setattr operation
>> + *
>> + * All filesystems that can carry extended privilege attributes
>> + * should call this from their setattr operation *after* validating
>> + * the attribute changes.

This is a somewhat unusual situation in which there is arguably a
single underlying discovery: if any filesystem supports extended
privilege attributes, its setattr operation has a requirement for
certain code that supports the functionality of removing extended
privilege attributes. Previously, there was no such requirement in the
sense that notify_change was (wrongly) expected to support that
functionality. Thus, it seems best to model this as a single security
problem (with a single CVE ID) in which the set of requirements for
setattr operations was incomplete. It does not seem worthwhile to
model this as a series of related security problems (with multiple CVE
IDs) in which individual filesystems had their own independent
implementation errors.

Use CVE-2015-1350.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ