Re: CVE Request: Linux kernel - Denial of service in notify_change for xattrs.

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> [wmealing]$ chown root:root /usr/bin/ping
> chown: changing ownership of '/usr/bin/ping': Operation not permitted
>
> [wmealing]$ ping www.google.com
> ping: icmp open socket: Operation not permitted
>
> This can cause a denial of service for applications which use the
> capabilities subsystem such as pirahnah (arping), netconsole (arping),
> some kdump implementations, etc.

> > Currently we call security_inode_killpriv() in notify_change(),
> > but in case of a chown() this is too early - we have not called
> > inode_change_ok() or made any filesystem-specific permission/sanity
> > checks.

> > + * setattr_killpriv - remove extended privilege attributes from a file
> > + * @dentry: Directory entry passed to the setattr operation
> > + * @iattr: New attributes pased to the setattr operation
> > + *
> > + * All filesystems that can carry extended privilege attributes
> > + * should call this from their setattr operation *after* validating
> > + * the attribute changes.

This is a somewhat unusual situation in which there is arguably a
single underlying discovery: if any filesystem supports extended
privilege attributes, its setattr operation has a requirement for
certain code that supports the functionality of removing extended
privilege attributes. Previously, there was no such requirement in the
sense that notify_change was (wrongly) expected to support that
functionality. Thus, it seems best to model this as a single security
problem (with a single CVE ID) in which the set of requirements for
setattr operations was incomplete. It does not seem worthwhile to
model this as a series of related security problems (with multiple CVE
IDs) in which individual filesystems had their own independent
implementation errors.

Use CVE-2015-1350.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUw7LsAAoJEKllVAevmvmsxFwIAI8+WBXMKoJ7r+rWI7eeXoSn
mGcb3gMBNS4siHYk12q22wcSHL/MbPqeUwWYT6b28xgf79GHkuLFyEksunhVoLzB
TFrg1co3TjhzOtxAMV+VjjPRmfiS0Odc3KVsFyHX3FkNbPRLqy7d/yHMstScOTXM
NzqpxrVRrL0Xs4LiOXWfWsAl1pkHpoDZSEC6FNxB2O87LowQF1qn/UlT88QczYoN
4R66bDM3grd8iqohrpRk9ILiD97ZDShpwL8AIT27yxWttC2QiltSWTqCLvTGOZ4V
ovk5gI1kAcGvGE32ILLYPrqDERLM4O3LqZtsd+793yj2yuqDs9D4cNj9XAdij5M=
=WP6T
-----END PGP SIGNATURE-----