Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1468283 (CVE-2017-7533)

Summary: CVE-2017-7533 kernel: a race between inotify_handle_event() and sys_rename()
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aquini, carnil, dhoward, fche, fhrbata, joe.lawrence, jpoimboe, kernel-mgr, mszeredi, nmurray, pholasek, plougher, pmatouse, rvrbovsk, security-response-team, slawomir, swhiteho, vdronov, wmealing, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A race condition was found in the Linux kernel, present since v3.14-rc1 through v4.12. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the next slab data or the slab's free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:16:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1470403, 1471130, 1471131, 1471132, 1471133, 1478086, 1478096, 1478097, 1478098, 1478099, 1478100    
Bug Blocks:    
Attachments:
Description Flags
dmesg-slub-debug.txt none

Description Pedro Sampaio 2017-07-06 14:55:10 UTC
A race condition was found in Linux kernel present since v3.14-rc1 upto v4.12 including. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the the next slab data or the slab's free list pointer can be corrupted with attacker-controlled data, which may lead to the privilege escalation.

The researchers of this flaw are Leilei Lin from Alibaba Group and Fan Wu and Shixiong Zhao from a research group supervised by Dr. Heming Cui of the Department of Computer Science, The University of Hong Kong. Thanks to Rui Gu and Prof.Junfeng Yang from Columbia University for tools and suggestions.

References:

http://seclists.org/oss-sec/2017/q3/240

https://access.redhat.com/security/vulnerabilities/3112931

https://patchwork.kernel.org/patch/9755753/

https://patchwork.kernel.org/patch/9755757/

https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1408967.html

https://bugzilla.kernel.org/show_bug.cgi?id=196279 (restricted access)

Upstream patch: 49d31c2f389a

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=49d31c2f389acfe83417083e1208422b4091cd9

Comment 1 Vladis Dronov 2017-07-12 12:04:49 UTC
Created attachment 1296934 [details]
dmesg-slub-debug.txt

Comment 6 Vladis Dronov 2017-07-14 15:11:58 UTC
Statement:

This issue does not affect the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 5, 6, 7.0 and 7.1 as the code with the flaw is not present in the products listed.

This issue affects the versions of the Linux kernel as shipped with Red Hat Enterprise Linux 7.2 and newer and Red Hat Enterprise MRG 2. Future kernel updates for these products may address this issue.

Comment 8 Vladis Dronov 2017-08-03 14:33:51 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1478086]

Comment 11 errata-xmlrpc 2017-08-15 11:46:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2473 https://access.redhat.com/errata/RHSA-2017:2473

Comment 13 errata-xmlrpc 2017-09-05 11:31:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2585 https://access.redhat.com/errata/RHSA-2017:2585

Comment 14 errata-xmlrpc 2017-09-06 20:43:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2669 https://access.redhat.com/errata/RHSA-2017:2669

Comment 15 errata-xmlrpc 2017-09-19 16:12:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:2770 https://access.redhat.com/errata/RHSA-2017:2770

Comment 16 errata-xmlrpc 2017-10-10 12:46:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:2869 https://access.redhat.com/errata/RHSA-2017:2869

Comment 18 Pedro Sampaio 2018-06-11 17:22:38 UTC
Acknowledgments:

Name: Leilei Lin (Alibaba Group), Fan Wu (The University of Hong Kong), Shixiong Zhao (The University of Hong Kong), Shankara Pailoor (Columbia University), Andrew Aday (Columbia University)