ASA-2018-00070 – Linux kernel: userfaultfd bypasses tmpfs file permission

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00070

Identifier(s)

ASA-2018-00070, CVE-2018-18397

Title

userfaultfd bypasses tmpfs file permission

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 4.20

Linux kernel versions before 4.14.87
Linux kernel versions before 4.19.7
Linux kernel versions before 4.19.11
Linux kernel versions before 4.14.90

Fixed version(s)

Linux kernel version 4.20

Linux kernel version 4.14.87
Linux kernel version 4.19.7
Linux kernel version 4.19.11
Linux kernel version 4.14.90

Proof of concept

Yes

Description

In Linux kernel versions since 4.11, userfaultfd can be used to write arbitrary data into holes in sparse tmpfs files to which an attacker has read-only access.

Technical details

Using the userfaultfd API, it is possible to first register a userfaultfd region for any VMA that fulfills vma_can_userfault(): It must be an anonymous VMA (->vm_ops==NULL), a hugetlb VMA (VM_HUGETLB), or a shmem VMA (->vm_ops==shmem_vm_ops). This means that it is, for example, possible to register userfaulfd regions for shared readonly mappings of tmpfs files.

Afterwards, the userfaultfd API can be used on such a region to (atomically) write data into holes in the file’s mapping. This API also works on readonly shared mappings.

This means that an attacker with read-only access to a tmpfs file that contains holes can write data into holes in the file.

Credits

Jann Horn (Google Project Zero)

Reference(s)

Linux: userfaultfd bypasses tmpfs file permissions
https://bugs.chromium.org/p/project-zero/issues/detail?id=1700

Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7)
https://seclists.org/oss-sec/2018/q4/219

userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=29ec90660d68bbdd69507c1c8b4e33aa299278b1

Linux 4.14.87
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.87

Linux 4.19.7
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.7

Linux 4.19.11
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.11

Linux 4.14.90
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.90

Linux 4.20
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20

CVE-2018-18397 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-18397

CVE-2018-18397 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18397.html

CVE-2018-18397
https://security-tracker.debian.org/tracker/CVE-2018-18397

CVE-2018-18397 | SUSE
https://www.suse.com/security/cve/CVE-2018-18397

CVE-2018-18397
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18397

CVE-2018-18397
https://nvd.nist.gov/vuln/detail/CVE-2018-18397

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 10, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.