Allele Security Alert
ASA-2018-00070
Identifier(s)
ASA-2018-00070, CVE-2018-18397
Title
userfaultfd bypasses tmpfs file permission
Vendor(s)
Linux foundation
Product(s)
Linux kernel
Affected version(s)
Linux kernel versions before 4.20
Linux kernel versions 4.14.x before 4.14.87
Linux kernel versions 4.19.x before 4.19.7
Fixed version(s)
Linux kernel version 4.20
Linux kernel version 4.14.87
Linux kernel version 4.19.7
Proof of concept
Yes
Description
The userfaultfd implementation in the Linux kernel mishandles access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c.
Technical details
Using the userfaultfd API, it is possible to first register a userfaultfd region for any VMA that fulfills vma_can_userfault(): It must be an anonymous VMA (->vm_ops==NULL), a hugetlb VMA (VM_HUGETLB), or a shmem VMA (->vm_ops==shmem_vm_ops). This means that it is, for example, possible to register userfaulfd regions for shared readonly mappings of tmpfs files.
Afterwards, the userfaultfd API can be used on such a region to (atomically) write data into holes in the file’s mapping. This API also works on readonly shared mappings.
This means that an attacker with read-only access to a tmpfs file that contains holes can write data into holes in the file.
Credits
Jann Horn (Google Project Zero)
Reference(s)
Linux: userfaultfd bypasses tmpfs file permissions
https://bugs.chromium.org/p/project-zero/issues/detail?id=1700
Linux kernel: userfaultfd bypasses tmpfs file permissions (CVE-2018-18397; since 4.11; fixed in 4.14.87 and 4.19.7)
https://seclists.org/oss-sec/2018/q4/219
userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=29ec90660d68bbdd69507c1c8b4e33aa299278b1
hugetlb: implement memfd sealing
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff62a34210441103108d435ae8a00a777c4dcb99
userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
https://github.com/torvalds/linux/commit/29ec90660d68bbdd69507c1c8b4e33aa299278b1
hugetlb: implement memfd sealing
https://github.com/torvalds/linux/commit/ff62a34210441103108d435ae8a00a777c4dcb99
Linux 4.20
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20
Linux 4.19.7
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.7
Linux 4.14.87
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.87
CVE-2018-18397 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2018-18397
https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18397.html
CVE-2018-18397
https://security-tracker.debian.org/tracker/CVE-2018-18397
CVE-2018-18397 | SUSE
https://www.suse.com/security/cve/CVE-2018-18397
CVE-2018-18397
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18397
CVE-2018-18397
https://nvd.nist.gov/vuln/detail/CVE-2018-18397
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 29, 2019