ghsa-g9x3-hhpq-jcqm
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
landlock: Don't lose track of restrictions on cred_transfer
When a process' cred struct is replaced, this almost always invokes the cred_prepare LSM hook; but in one special case (when KEYCTL_SESSION_TO_PARENT updates the parent's credentials), the cred_transfer LSM hook is used instead. Landlock only implements the cred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes all information on Landlock restrictions to be lost.
This basically means that a process with the ability to use the fork() and keyctl() syscalls can get rid of all Landlock restrictions on itself.
Fix it by adding a cred_transfer hook that does the same thing as the existing cred_prepare hook. (Implemented by having hook_cred_prepare() call hook_cred_transfer() so that the two functions are less likely to accidentally diverge in the future.)
{
"affected": [],
"aliases": [
"CVE-2024-42318"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-17T09:15:11Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Don\u0027t lose track of restrictions on cred_transfer\n\nWhen a process\u0027 cred struct is replaced, this _almost_ always invokes\nthe cred_prepare LSM hook; but in one special case (when\nKEYCTL_SESSION_TO_PARENT updates the parent\u0027s credentials), the\ncred_transfer LSM hook is used instead. Landlock only implements the\ncred_prepare hook, not cred_transfer, so KEYCTL_SESSION_TO_PARENT causes\nall information on Landlock restrictions to be lost.\n\nThis basically means that a process with the ability to use the fork()\nand keyctl() syscalls can get rid of all Landlock restrictions on\nitself.\n\nFix it by adding a cred_transfer hook that does the same thing as the\nexisting cred_prepare hook. (Implemented by having hook_cred_prepare()\ncall hook_cred_transfer() so that the two functions are less likely to\naccidentally diverge in the future.)",
"id": "GHSA-g9x3-hhpq-jcqm",
"modified": "2024-08-19T06:30:54Z",
"published": "2024-08-17T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42318"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2566"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0d74fd54db0bd0c0c224bef0da8fc95ea9c9f36c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/16896914bace82d7811c62f3b6d5320132384f49"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/39705a6c29f8a2b93cf5b99528a55366c50014d1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/916c648323fa53b89eedb34a0988ddaf01406117"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b14cc2cf313bd29056fadbc8ecd7f957cf5791ff"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/all/20240817.shahka3Ee1iy@digikod.net"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2024/08/17/2"
}
],
"schema_version": "1.4.0",
"severity": []
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.