Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 24 Jan 2015 09:59:03 -0500 (EST)
Subject: Re: CVE Request: Linux kernel - Denial of service in notify_change for xattrs.

Hash: SHA1

> [wmealing]$ chown root:root /usr/bin/ping
> chown: changing ownership of '/usr/bin/ping': Operation not permitted
> [wmealing]$ ping
> ping: icmp open socket: Operation not permitted
> This can cause a denial of service for applications which use the
> capabilities subsystem such as pirahnah (arping), netconsole (arping),
> some kdump implementations, etc.

>> Currently we call security_inode_killpriv() in notify_change(),
>> but in case of a chown() this is too early - we have not called
>> inode_change_ok() or made any filesystem-specific permission/sanity
>> checks.

>> + * setattr_killpriv - remove extended privilege attributes from a file
>> + * @dentry: Directory entry passed to the setattr operation
>> + * @iattr: New attributes pased to the setattr operation
>> + *
>> + * All filesystems that can carry extended privilege attributes
>> + * should call this from their setattr operation *after* validating
>> + * the attribute changes.

This is a somewhat unusual situation in which there is arguably a
single underlying discovery: if any filesystem supports extended
privilege attributes, its setattr operation has a requirement for
certain code that supports the functionality of removing extended
privilege attributes. Previously, there was no such requirement in the
sense that notify_change was (wrongly) expected to support that
functionality. Thus, it seems best to model this as a single security
problem (with a single CVE ID) in which the set of requirements for
setattr operations was incomplete. It does not seem worthwhile to
model this as a series of related security problems (with multiple CVE
IDs) in which individual filesystems had their own independent
implementation errors.

Use CVE-2015-1350.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.