cve/published/2024/CVE-2024-43882.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-43882: exec: Fix ToCToU between perm check and set-uid/gid usage

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 exec: Fix ToCToU between perm check and set-uid/gid usage

 When opening a file for exec via do_filp_open(), permission checking is
 done against the file's metadata at that moment, and on success, a file
 pointer is passed back. Much later in the execve() code path, the file
 metadata (specifically mode, uid, and gid) is used to determine if/how
 to set the uid and gid. However, those values may have changed since the
 permissions check, meaning the execution may gain unintended privileges.

 For example, if a file could change permissions from executable and not
 set-id:

 ---------x 1 root root 16048 Aug  7 13:16 target

 to set-id and non-executable:

 ---S------ 1 root root 16048 Aug  7 13:16 target

 it is possible to gain root privileges when execution should have been
 disallowed.

 While this race condition is rare in real-world scenarios, it has been
 observed (and proven exploitable) when package managers are updating
 the setuid bits of installed programs. Such files start with being
 world-executable but then are adjusted to be group-exec with a set-uid
 bit. For example, "chmod o-x,u+s target" makes "target" executable only
 by uid "root" and gid "cdrom", while also becoming setuid-root:

 -rwxr-xr-x 1 root cdrom 16048 Aug  7 13:16 target

 becomes:

 -rwsr-xr-- 1 root cdrom 16048 Aug  7 13:16 target

 But racing the chmod means users without group "cdrom" membership can
 get the permission to execute "target" just before the chmod, and when
 the chmod finishes, the exec reaches brpm_fill_uid(), and performs the
 setuid to root, violating the expressed authorization of "only cdrom
 group members can setuid to root".

 Re-check that we still have execute permissions in case the metadata
 has changed. It would be better to keep a copy from the perm-check time,
 but until we can do that refactoring, the least-bad option is to do a
 full inode_permission() call (under inode lock). It is understood that
 this is safe against dead-locks, but hardly optimal.

 The Linux kernel CVE team has assigned CVE-2024-43882 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 4.19.320 with commit d5c3c7e26275a2d83b894d30f7582a42853a958f
 	Fixed in 5.4.282 with commit 368f6985d46657b8b466a421dddcacd4051f7ada
 	Fixed in 5.10.224 with commit 15469d46ba34559bfe7e3de6659115778c624759
 	Fixed in 5.15.165 with commit 9b424c5d4130d56312e2a3be17efb0928fec4d64
 	Fixed in 6.1.106 with commit f6cfc6bcfd5e1cf76115b6450516ea4c99897ae1
 	Fixed in 6.6.47 with commit d2a2a4714d80d09b0f8eb6438ab4224690b7121e
 	Fixed in 6.10.6 with commit 90dfbba89ad4f0d9c9744ecbb1adac4aa2ff4f3e
 	Fixed in 6.11 with commit f50733b45d865f91db90919f8311e2127ce5a0cb

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-43882
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/exec.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d5c3c7e26275a2d83b894d30f7582a42853a958f
 	https://git.kernel.org/stable/c/368f6985d46657b8b466a421dddcacd4051f7ada
 	https://git.kernel.org/stable/c/15469d46ba34559bfe7e3de6659115778c624759
 	https://git.kernel.org/stable/c/9b424c5d4130d56312e2a3be17efb0928fec4d64
 	https://git.kernel.org/stable/c/f6cfc6bcfd5e1cf76115b6450516ea4c99897ae1
 	https://git.kernel.org/stable/c/d2a2a4714d80d09b0f8eb6438ab4224690b7121e
 	https://git.kernel.org/stable/c/90dfbba89ad4f0d9c9744ecbb1adac4aa2ff4f3e
 	https://git.kernel.org/stable/c/f50733b45d865f91db90919f8311e2127ce5a0cb
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-43882: exec: Fix ToCToU between perm check and set-uid/gid usage

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	exec: Fix ToCToU between perm check and set-uid/gid usage

	When opening a file for exec via do_filp_open(), permission checking is
	done against the file's metadata at that moment, and on success, a file
	pointer is passed back. Much later in the execve() code path, the file
	metadata (specifically mode, uid, and gid) is used to determine if/how
	to set the uid and gid. However, those values may have changed since the
	permissions check, meaning the execution may gain unintended privileges.

	For example, if a file could change permissions from executable and not
	set-id:

	---------x 1 root root 16048 Aug 7 13:16 target

	to set-id and non-executable:

	---S------ 1 root root 16048 Aug 7 13:16 target

	it is possible to gain root privileges when execution should have been
	disallowed.

	While this race condition is rare in real-world scenarios, it has been
	observed (and proven exploitable) when package managers are updating
	the setuid bits of installed programs. Such files start with being
	world-executable but then are adjusted to be group-exec with a set-uid
	bit. For example, "chmod o-x,u+s target" makes "target" executable only
	by uid "root" and gid "cdrom", while also becoming setuid-root:

	-rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target

	becomes:

	-rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target

	But racing the chmod means users without group "cdrom" membership can
	get the permission to execute "target" just before the chmod, and when
	the chmod finishes, the exec reaches brpm_fill_uid(), and performs the
	setuid to root, violating the expressed authorization of "only cdrom
	group members can setuid to root".

	Re-check that we still have execute permissions in case the metadata
	has changed. It would be better to keep a copy from the perm-check time,
	but until we can do that refactoring, the least-bad option is to do a
	full inode_permission() call (under inode lock). It is understood that
	this is safe against dead-locks, but hardly optimal.

	The Linux kernel CVE team has assigned CVE-2024-43882 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 4.19.320 with commit d5c3c7e26275a2d83b894d30f7582a42853a958f
	Fixed in 5.4.282 with commit 368f6985d46657b8b466a421dddcacd4051f7ada
	Fixed in 5.10.224 with commit 15469d46ba34559bfe7e3de6659115778c624759
	Fixed in 5.15.165 with commit 9b424c5d4130d56312e2a3be17efb0928fec4d64
	Fixed in 6.1.106 with commit f6cfc6bcfd5e1cf76115b6450516ea4c99897ae1
	Fixed in 6.6.47 with commit d2a2a4714d80d09b0f8eb6438ab4224690b7121e
	Fixed in 6.10.6 with commit 90dfbba89ad4f0d9c9744ecbb1adac4aa2ff4f3e
	Fixed in 6.11 with commit f50733b45d865f91db90919f8311e2127ce5a0cb

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-43882
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/exec.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d5c3c7e26275a2d83b894d30f7582a42853a958f
	https://git.kernel.org/stable/c/368f6985d46657b8b466a421dddcacd4051f7ada
	https://git.kernel.org/stable/c/15469d46ba34559bfe7e3de6659115778c624759
	https://git.kernel.org/stable/c/9b424c5d4130d56312e2a3be17efb0928fec4d64
	https://git.kernel.org/stable/c/f6cfc6bcfd5e1cf76115b6450516ea4c99897ae1
	https://git.kernel.org/stable/c/d2a2a4714d80d09b0f8eb6438ab4224690b7121e
	https://git.kernel.org/stable/c/90dfbba89ad4f0d9c9744ecbb1adac4aa2ff4f3e
	https://git.kernel.org/stable/c/f50733b45d865f91db90919f8311e2127ce5a0cb