Bug 923908 - (CVE-2014-9710) VUL-0: CVE-2014-9710: kernel: fs: btrfs: non-atomic xattr replace operation
(CVE-2014-9710)
VUL-0: CVE-2014-9710: kernel: fs: btrfs: non-atomic xattr replace operation
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: David Sterba
Security Team bot
CVSSv2:NVD:CVE-2014-9710:6.9:(AV:L/AC...
:
Depends on: 939260
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-24 08:56 UTC by Marcus Meissner
Modified: 2019-06-18 16:47 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-24 08:56:41 UTC
via oss-sec

    Hello,

Linux kernel built with the Btrfs Filesystem support(CONFIG_BTRFS_FS) is 
vulnerable to a race condition which leaves the extended attribute(xattr) 
empty for a short time window. This could be leveraged to bypass set ACLs and 
potentially escalate user privileges.

An unprivileged user could use this flaw to potentially escalate privileges on 
a system.

Upstream fix:
- -------------
   -> https://git.kernel.org/linus/5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339


Thank you.
- --
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Comment 1 Marcus Meissner 2015-03-24 17:06:40 UTC
Mitre evaluation:

> Linux kernel built with the Btrfs Filesystem support(CONFIG_BTRFS_FS) is
> vulnerable to a race condition which leaves the extended attribute(xattr)
> empty for a short time window. This could be leveraged to bypass set ACLs and
> potentially escalate user privileges.
> 
> An unprivileged user could use this flaw to potentially escalate privileges on
> a system.
> 
> https://git.kernel.org/linus/5f5bc6b1e2d5a6f827bc860ef2dc5b6f365d1339

We would like to restate the security issue somewhat. The commit
mentions two separate concerns: (1) "This leaves a time window where
readers (getxattr, listxattrs) won't see any value for the xattr" and
(2) "Deleting the old xattr value without verifying first if the new
xattr will fit." In both cases, apparently the underlying problem is
that the code is attempting to accomplish a transition between a
previously acceptable state of an object and a new acceptable state of
an object, but does this in a way that an intermediate state becomes
visible. Because the intermediate state is, for a security-relevant
reason, not known to be acceptable, the transition code has a
vulnerability (related, in general, to CWE-371). We feel that (1) and
(2) are therefore the same type of vulnerability, even though the
attack methodology might rely on a race condition only in case (1).

Use CVE-2014-9710 for this vulnerability involving improper management
of xattr state.

> Returning -EEXIST when the flag XATTR_CREATE is given and the xattr
> doesn't exist

We don't know whether this third concern is a vulnerability. Presumably
it would depend on what callers do after the -EEXIST.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
Comment 2 David Sterba 2015-03-24 17:33:57 UTC
In SLE12 tree as: patches.suse/btrfs-8167-make-xattr-replace-operations-atomic.patch

Committed on: Fri Jan 16 16:58:41 2015 +0000 so it's been probably already released.
Comment 3 Swamp Workflow Management 2015-03-24 23:00:16 UTC
bugbot adjusting priority
Comment 4 Marcus Meissner 2015-03-25 10:37:03 UTC
is the issue in the SLE11 codebase?
Comment 5 David Sterba 2015-04-08 13:52:24 UTC
SLE11SP3 (inherited to SP4): patches.suse/btrfs-8306-make-xattr-replace-operations-atomic.patch
Comment 9 Michal Hocko 2015-07-03 11:57:12 UTC
pushed to SLE11-SP3-TD branch as well.
Comment 11 Swamp Workflow Management 2015-07-10 14:08:59 UTC
SUSE-SU-2015:1224-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 915517,919007,922583,923908,927355,929525,929647,930786,933429,933896,933904,933907,935705,936831
CVE References: 
Sources used:
SUSE Linux Enterprise Server 11-SP3-TERADATA (src):    kernel-source-3.0.101-57.TDC.2, kernel-syms-3.0.101-57.TDC.2
Comment 13 Marcus Meissner 2016-08-01 11:56:55 UTC
released i think
Comment 14 Marcus Meissner 2016-08-01 11:57:19 UTC
.
Comment 17 Swamp Workflow Management 2019-06-18 16:47:16 UTC
SUSE-SU-2019:14089-1: An update that solves 9 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 1110785,1113769,1119314,1120326,1120843,1120885,1131295,1131543,1132374,1132472,1132580,1133188,1134102,1134729,1134848,1137586,923908,939260
CVE References: CVE-2014-9710,CVE-2018-17972,CVE-2019-11190,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11486,CVE-2019-11884,CVE-2019-5489
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    kernel-bigmem-3.0.101-108.95.2, kernel-default-3.0.101-108.95.2, kernel-ec2-3.0.101-108.95.2, kernel-pae-3.0.101-108.95.2, kernel-ppc64-3.0.101-108.95.2, kernel-source-3.0.101-108.95.1, kernel-syms-3.0.101-108.95.1, kernel-trace-3.0.101-108.95.2, kernel-xen-3.0.101-108.95.2
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-108.95.2, kernel-pae-3.0.101-108.95.2, kernel-ppc64-3.0.101-108.95.2, kernel-trace-3.0.101-108.95.2, kernel-xen-3.0.101-108.95.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-108.95.2, kernel-default-3.0.101-108.95.2, kernel-ec2-3.0.101-108.95.2, kernel-pae-3.0.101-108.95.2, kernel-ppc64-3.0.101-108.95.2, kernel-trace-3.0.101-108.95.2, kernel-xen-3.0.101-108.95.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.