Date: Fri, 13 Jul 2018 09:25:48 -0400 (EDT) From: Vladis Dronov <vdronov@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2018-13405: Linux kernel: fs/inode.c:inode_init_owner() function mishandled a file creation in setgid directories Heololo, The Linux kernel through version v4.18-rc4 has a vulnerability in the fs/inode.c:inode_init_owner() function logic that allows local users to create files with an unintended group ownership and with group execution and SGID permission bits set, in a scenario where a parent directory has SGID bit set and belongs to a certain group and is writable by a user who is not a member of this group. In such a case a directory group non-member user can create a plain file whose group ownership is of that group and with group execution and SGID permission bits set. This can lead to excessive permissions granted in case when they should not. The intended behavior is that the non-member user can trigger creation of a directory with group execution and SGID permission bits set whose group ownership is of that group, but not a plain file. The XFS filesystem is a special case here, it does not use fs/inode.c:inode_init_owner() function from the VFS code, but uses its own fs/xfs/xfs_inode.c:xfs_ialloc() function. The XFS filesystem behavior in such situations is controlled by the fs.xfs.irix_sgid_inherit sysctl parameter, and so the XFS filesystem is not vulnerable to this flaw. [https://www.kernel.org/doc/Documentation/filesystems/xfs.txt] fs.xfs.irix_sgid_inherit (Min: 0 Default: 0 Max: 1) Controls files created in SGID directories. If the group ID of the new file does not match the effective group ID or one of the supplementary group IDs of the parent dir, the ISGID bit is cleared if the irix_sgid_inherit compatibility sysctl is set. References: https://twitter.com/grsecurity/status/1015082951204327425 https://bugzilla.redhat.com/show_bug.cgi?id=1599161 https://bugzilla.suse.com/show_bug.cgi?id=1100416 An upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7 Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ