ASA-2018-00054 – Linux kernel: Cleancache deleted files infoleak


Allele Security Alert

ASA-2018-00054

Identifier(s)

ASA-2018-00054, CVE-2018-16862

Title

Cleancache deleted files infoleak

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 4.20

Linux kernel versions before 4.19.7
Linux kernel versions before 4.14.87
Linux kernel versions before 4.9.144
Linux kernel versions before 4.4.167
Linux kernel versions before 3.18.129
Linux kernel versions before 3.16.62

Fixed version(s)

Linux kernel version 4.20

Linux kernel version 4.19.7
Linux kernel version 4.14.87
Linux kernel version 4.9.144
Linux kernel version 4.4.167
Linux kernel version 3.18.129
Linux kernel version 3.16.62

Proof of concept

Unknown

Description

An unprivileged user may access the content of a deleted file of any other users on a file system with enabled cleancache. For now only Xen’s tmem driver registers itself as a backend for cleancache.

Technical details

Under certain conditions it may not drop a content of a deleted file on its last iput(). When a newly created file gets an inode number of the previously deleted file its read can get the content of the deleted file saved in cleancache.

If all pages are deleted from the mapping by memory reclaim and also moved to the cleancache:

__delete_from_page_cache
  (no shadow case)
  unaccount_page_cache_page
    cleancache_put_page
  page_cache_delete
    mapping->nrpages -= nr
    (nrpages becomes 0)

We don’t clean the cleancache for an inode after final file truncation (removal).

truncate_inode_pages_final
  check (nrpages || nrexceptional) is false
    no truncate_inode_pages
      no cleancache_invalidate_inode(mapping)

These way when reading the new file created with same inode we may get these trash leftover pages from cleancache and see wrong data instead of the contents of the new file.

Credits

Vasily Averin and Pavel Tikhomirov (Virtuozzo Kernel Team)

Reference(s)

CVE-2018-16862: Linux kernel: cleancache: deleted files infoleak
https://seclists.org/oss-sec/2018/q4/169

mm: cleancache: fix corruption on missed inode invalidation
https://lore.kernel.org/patchwork/patch/1011367/

Bug 1649017 – (CVE-2018-16862) CVE-2018-16862 kernel: cleancache: Infoleak of deleted files after reuse of old inodes
https://bugzilla.redhat.com/show_bug.cgi?id=1649017

mm: cleancache: fix corruption on missed inode invalidation
https://github.com/torvalds/linux/commit/6ff38bd40230af35e446239396e5fc8ebd6a5248#diff-a867b589a17d6d3ea5e9a787a775da7b

ChangeLog-4.19.7
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.7

ChangeLog-4.14.87
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.87

ChangeLog-4.4.167
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.167

ChangeLog-3.18.129
http://cdn.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.18.129

ChangeLog-4.9.144
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.144

ChangeLog-4.20
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20

ChangeLog-3.16.62
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.62

CVE-2018-16862 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-16862

CVE-2018-16862
https://security-tracker.debian.org/tracker/CVE-2018-16862

CVE-2018-16862 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16862.html

CVE-2018-16862 | SUSE
https://www.suse.com/security/cve/CVE-2018-16862

CVE-2018-16862
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16862

CVE-2018-16862
https://nvd.nist.gov/vuln/detail/CVE-2018-16862

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.