CVE-2023-52779 fs: Pass AT_GETATTR_NOSEC flag to getattr interface function

2024-05-2115:30:58

Linux

github.com

linux kernel

vulnerability

resolved

getattr

interface

function

vfs_getattr_nosec

filesystem

security checks

overlayfs

ecryptfs

attribute flag

getattr_nosec

getattr_flags

code change

ima

current->fs

kernel

null pointer dereference

cve-2023-52779

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

fs: Pass AT_GETATTR_NOSEC flag to getattr interface function

When vfs_getattr_nosec() calls a filesystem’s getattr interface function
then the ‘nosec’ should propagate into this function so that
vfs_getattr_nosec() can again be called from the filesystem’s gettattr
rather than vfs_getattr(). The latter would add unnecessary security
checks that the initial vfs_getattr_nosec() call wanted to avoid.
Therefore, introduce the getattr flag GETATTR_NOSEC and allow to pass
with the new getattr_flags parameter to the getattr interface function.
In overlayfs and ecryptfs use this flag to determine which one of the
two functions to call.

In a recent code change introduced to IMA vfs_getattr_nosec() ended up
calling vfs_getattr() in overlayfs, which in turn called
security_inode_getattr() on an exiting process that did not have
current->fs set anymore, which then caused a kernel NULL pointer
dereference. With this change the call to security_inode_getattr() can
be avoided, thus avoiding the NULL pointer dereference.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/ecryptfs/inode.c",
      "fs/overlayfs/inode.c",
      "fs/overlayfs/overlayfs.h",
      "fs/stat.c",
      "include/uapi/linux/fcntl.h"
    ],
    "versions": [
      {
        "version": "db1d1e8b9867",
        "lessThan": "3fb0fa086419",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "db1d1e8b9867",
        "lessThan": "8a924db2d7b5",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/ecryptfs/inode.c",
      "fs/overlayfs/inode.c",
      "fs/overlayfs/overlayfs.h",
      "fs/stat.c",
      "include/uapi/linux/fcntl.h"
    ],
    "versions": [
      {
        "version": "6.5",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "6.5",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.4",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.7",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]