Kernel slab corruption in the inotify subsystem of the linux Linux kernel - CVE-2017-7533

Red Hat Product Security has been made aware of a vulnerability affecting the Linux kernel's impementation of inotify. The vulnerability has been assigned CVE-2017-7533. This issue was publicly disclosed on August 3rd, 2017 and is rated as Important.

Background Information

Inotify (an abbreviation of inode notify) is a Linux kernel subsystem which acts to allow userspace processes to be notified of changes to the filesystem. This functionality exists for most local filesystems backed by physical media and some virtual filesystems such as sysfs.

Userspace applications must set an explicit watch on either a directory or a file itself to be notified of changes to theirs content. For all event types please see the man page for inotify.

Notification events and changes to the observed file are asynchronous, a change to the file can be in progress while userspace applications are processing previous events.

The event handling code in inotify subsystem dynamically allocates memory using the kernel slab allocator as the events occur. These are sized base on the struct named inotify_event_info.  The final element in the struct is a buffer with the file name used in the event.

If an observed file is renamed while an event is being handled in inotify_handle_event, a race condition can occur.  The length of the filename is calculated earlier in the function and the new length of the filename may be longer than the previously calculated length.

The file name value is copied into a slab entry without consideration for the newly renamed length.  The additional length of the longer filename will write past the end of the allocated area and corrupt valid memory contents.

An attacker can craft data to control a content of the next slab or slab's free list pointer. For example, he can make next 'free' allocation to be in the userspace, in a location that he can write to.

When a kernel function requests the next free "slab" entry, the slab allocator can consider this a valid free block of memory.  An attacker can then read and write kernel data including kernel function pointers which can enable privilege escalation.

Acknowledgements

Red Hat would like to thank Leilei Lin from Alibaba Group and Fan Wu, Shixiong Zhao from the University of Hong Kong.

Impacted Products

The following Red Hat product versions are impacted:

•  Red Hat Enterprise Linux 7
•  Red Hat Enterprise MRG 2
•  Red Hat Openshift Online v2

Attack description and impact.

This flaw allows an attacker with an account on the local system to potentially elevate privileges. This class of flaw is commonly referred to as SLAB corruption. Flaws of this nature are generally exploited by manipulating kernel memory allocations in a location which an attacker can control. An attacker would then allocate a kernel structure containing function pointers to be executed.  After modifying the function pointer to point to a function of the attackers choosing, the attacker trigger the original function to be called and executes priviledged code.

References:

https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use

http://man7.org/linux/man-pages/man7/inotify.7.html

https://argp.github.io/2012/01/03/linux-kernel-heap-exploitaion/

https://vsecurity.com//download/papers/slob-exploitation.pdf

http://seclists.org/oss-sec/2017/q3/240

https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1408967.html

https://patchwork.kernel.org/patch/9755753/

https://patchwork.kernel.org/patch/9755757/

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=49d31c2f389acfe83417083e1208422b4091cd9