Red Hat Product Security has been made aware of a vulnerability affecting the Linux kernel's impementation of inotify. The vulnerability has been assigned CVE-2017-7533. This issue was publicly disclosed on August 3rd, 2017 and is rated as Important.
Inotify (an abbreviation of inode notify) is a Linux kernel subsystem which acts to allow userspace processes to be notified of changes to the filesystem. This functionality exists for most local filesystems backed by physical media and some virtual filesystems such as sysfs.
Userspace applications must set an explicit watch on either a directory or a file itself to be notified of changes to theirs content. For all event types please see the man page for inotify.
Notification events and changes to the observed file are asynchronous, a change to the file can be in progress while userspace applications are processing previous events.
The event handling code in inotify subsystem dynamically allocates memory using the kernel slab allocator as the events occur. These are sized base on the struct named inotify_event_info. The final element in the struct is a buffer with the file name used in the event.
If an observed file is renamed while an event is being handled in inotify_handle_event, a race condition can occur. The length of the filename is calculated earlier in the function and the new length of the filename may be longer than the previously calculated length.
The file name value is copied into a slab entry without consideration for the newly renamed length. The additional length of the longer filename will write past the end of the allocated area and corrupt valid memory contents.
An attacker can craft data to control a content of the next slab or slab's free list pointer. For example, he can make next 'free' allocation to be in the userspace, in a location that he can write to.
When a kernel function requests the next free "slab" entry, the slab allocator can consider this a valid free block of memory. An attacker can then read and write kernel data including kernel function pointers which can enable privilege escalation.
Red Hat would like to thank Leilei Lin from Alibaba Group and Fan Wu, Shixiong Zhao from the University of Hong Kong.
The following Red Hat product versions are impacted:
- Red Hat Enterprise Linux 7
- Red Hat Enterprise MRG 2
- Red Hat Openshift Online v2
Attack description and impact.
This flaw allows an attacker with an account on the local system to potentially elevate privileges. This class of flaw is commonly referred to as SLAB corruption. Flaws of this nature are generally exploited by manipulating kernel memory allocations in a location which an attacker can control. An attacker would then allocate a kernel structure containing function pointers to be executed. After modifying the function pointer to point to a function of the attackers choosing, the attacker trigger the original function to be called and executes priviledged code.
All Red Hat customers running affected versions of the kernel are strongly recommended to update the kernel as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to be applied.
Products and package versions below will be added when available.
Updates for Affected Products
A kpatch for customers running Red Hat Enterprise Linux 7.2 or greater will be available. Please open a support case to gain access to the kpatch.
For more details about what a kpatch is: Is live kernel patching (kpatch) supported in RHEL 7?
|Red Hat Enterprise Linux 7||kernel||RHSA-2017:2473|
|Red Hat Enterprise Linux 7||kernel-rt||RHSA-2017:2585|
|Red Hat Enterprise Linux 7.2 Extended Update Support*||kernel||RHSA-2017:2869|
|Red Hat Enterprise Linux 7.3 Extended Update Support*||kernel||RHSA-2017:2770|
|Red Hat Enterprise MRG 2||kernel-rt||RHSA-2017:2669|
*An active EUS subscription is required for access to this patch.
Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active EUS subscription.