cve/published/2024/CVE-2024-42318.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-42318: landlock: Don't lose track of restrictions on cred_transfer

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 landlock: Don't lose track of restrictions on cred_transfer

 When a process' cred struct is replaced, this _almost_ always invokes
 the cred_prepare LSM hook; but in one special case (when
 KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the
 cred_transfer LSM hook is used instead.  Landlock only implements the
 cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes
 all information on Landlock restrictions to be lost.

 This basically means that a process with the ability to use the fork()
 and keyctl() syscalls can get rid of all Landlock restrictions on
 itself.

 Fix it by adding a cred_transfer hook that does the same thing as the
 existing cred_prepare hook. (Implemented by having hook_cred_prepare()
 call hook_cred_transfer() so that the two functions are less likely to
 accidentally diverge in the future.)

 The Linux kernel CVE team has assigned CVE-2024-42318 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit 385975dca53eb41031d0cbd1de318eb1bc5d6bb9 and fixed in 5.15.165 with commit 916c648323fa53b89eedb34a0988ddaf01406117
 	Issue introduced in 5.13 with commit 385975dca53eb41031d0cbd1de318eb1bc5d6bb9 and fixed in 6.1.103 with commit 0d74fd54db0bd0c0c224bef0da8fc95ea9c9f36c
 	Issue introduced in 5.13 with commit 385975dca53eb41031d0cbd1de318eb1bc5d6bb9 and fixed in 6.6.44 with commit 16896914bace82d7811c62f3b6d5320132384f49
 	Issue introduced in 5.13 with commit 385975dca53eb41031d0cbd1de318eb1bc5d6bb9 and fixed in 6.10.3 with commit b14cc2cf313bd29056fadbc8ecd7f957cf5791ff
 	Issue introduced in 5.13 with commit 385975dca53eb41031d0cbd1de318eb1bc5d6bb9 and fixed in 6.11 with commit 39705a6c29f8a2b93cf5b99528a55366c50014d1

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-42318
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	security/landlock/cred.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/916c648323fa53b89eedb34a0988ddaf01406117
 	https://git.kernel.org/stable/c/0d74fd54db0bd0c0c224bef0da8fc95ea9c9f36c
 	https://git.kernel.org/stable/c/16896914bace82d7811c62f3b6d5320132384f49
 	https://git.kernel.org/stable/c/b14cc2cf313bd29056fadbc8ecd7f957cf5791ff
 	https://git.kernel.org/stable/c/39705a6c29f8a2b93cf5b99528a55366c50014d1
 	https://lore.kernel.org/all/20240817.shahka3Ee1iy@digikod.net/
 	https://www.openwall.com/lists/oss-security/2024/08/17/2
 	https://bugs.chromium.org/p/project-zero/issues/detail?id=2566
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-42318: landlock: Don't lose track of restrictions on cred_transfer

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	landlock: Don't lose track of restrictions on cred_transfer

	When a process' cred struct is replaced, this _almost_ always invokes
	the cred_prepare LSM hook; but in one special case (when
	KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the
	cred_transfer LSM hook is used instead. Landlock only implements the
	cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes
	all information on Landlock restrictions to be lost.

	This basically means that a process with the ability to use the fork()
	and keyctl() syscalls can get rid of all Landlock restrictions on
	itself.

	Fix it by adding a cred_transfer hook that does the same thing as the
	existing cred_prepare hook. (Implemented by having hook_cred_prepare()
	call hook_cred_transfer() so that the two functions are less likely to
	accidentally diverge in the future.)

	The Linux kernel CVE team has assigned CVE-2024-42318 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit 385975dca53eb41031d0cbd1de318eb1bc5d6bb9 and fixed in 5.15.165 with commit 916c648323fa53b89eedb34a0988ddaf01406117
	Issue introduced in 5.13 with commit 385975dca53eb41031d0cbd1de318eb1bc5d6bb9 and fixed in 6.1.103 with commit 0d74fd54db0bd0c0c224bef0da8fc95ea9c9f36c
	Issue introduced in 5.13 with commit 385975dca53eb41031d0cbd1de318eb1bc5d6bb9 and fixed in 6.6.44 with commit 16896914bace82d7811c62f3b6d5320132384f49
	Issue introduced in 5.13 with commit 385975dca53eb41031d0cbd1de318eb1bc5d6bb9 and fixed in 6.10.3 with commit b14cc2cf313bd29056fadbc8ecd7f957cf5791ff
	Issue introduced in 5.13 with commit 385975dca53eb41031d0cbd1de318eb1bc5d6bb9 and fixed in 6.11 with commit 39705a6c29f8a2b93cf5b99528a55366c50014d1

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-42318
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	security/landlock/cred.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/916c648323fa53b89eedb34a0988ddaf01406117
	https://git.kernel.org/stable/c/0d74fd54db0bd0c0c224bef0da8fc95ea9c9f36c
	https://git.kernel.org/stable/c/16896914bace82d7811c62f3b6d5320132384f49
	https://git.kernel.org/stable/c/b14cc2cf313bd29056fadbc8ecd7f957cf5791ff
	https://git.kernel.org/stable/c/39705a6c29f8a2b93cf5b99528a55366c50014d1
	https://lore.kernel.org/all/20240817.shahka3Ee1iy@digikod.net/
	https://www.openwall.com/lists/oss-security/2024/08/17/2
	https://bugs.chromium.org/p/project-zero/issues/detail?id=2566