{ "id": "CVE-2024-47740", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-10-21T13:15:04.103", "lastModified": "2024-11-08T16:15:27.477", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: Require FMODE_WRITE for atomic write ioctls\n\nThe F2FS ioctls for starting and committing atomic writes check for\ninode_owner_or_capable(), but this does not give LSMs like SELinux or\nLandlock an opportunity to deny the write access - if the caller's FSUID\nmatches the inode's UID, inode_owner_or_capable() immediately returns true.\n\nThere are scenarios where LSMs want to deny a process the ability to write\nparticular files, even files that the FSUID of the process owns; but this\ncan currently partially be bypassed using atomic write ioctls in two ways:\n\n - F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE can\n truncate an inode to size 0\n - F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE can revert\n changes another process concurrently made to a file\n\nFix it by requiring FMODE_WRITE for these operations, just like for\nF2FS_IOC_MOVE_RANGE. Since any legitimate caller should only be using these\nioctls when intending to write into the file, that seems unlikely to break\nanything." }, { "lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: f2fs: Requerir FMODE_WRITE para ioctls de escritura at\u00f3mica Los ioctls de F2FS para iniciar y confirmar escrituras at\u00f3micas comprueban inode_owner_or_capable(), pero esto no da a los LSM como SELinux o Landlock la oportunidad de denegar el acceso de escritura: si el FSUID del llamador coincide con el UID del inodo, inode_owner_or_capable() devuelve verdadero inmediatamente. Hay escenarios en los que los LSM quieren denegar a un proceso la capacidad de escribir archivos particulares, incluso archivos que el FSUID del proceso posee; pero esto actualmente se puede omitir parcialmente usando ioctls de escritura at\u00f3mica de dos maneras: - F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE puede truncar un inodo a tama\u00f1o 0 - F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE puede revertir los cambios que otro proceso realiz\u00f3 simult\u00e1neamente en un archivo Arr\u00e9glelo requiriendo FMODE_WRITE para estas operaciones, al igual que para F2FS_IOC_MOVE_RANGE. Dado que cualquier llamador leg\u00edtimo solo debe usar estos ioctls cuando tenga la intenci\u00f3n de escribir en el archivo, parece poco probable que eso rompa algo." } ], "metrics": {}, "references": [ { "url": "https://git.kernel.org/stable/c/000bab8753ae29a259feb339b99ee759795a48ac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/32f348ecc149e9ca70a1c424ae8fa9b6919d2713", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/4583290898c13c2c2e5eb8773886d153c2c5121d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/4ce87674c3a6b4d3b3d45f85b584ab8618a3cece", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/4f5a100f87f32cb65d4bb1ad282a08c92f6f591e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/5e0de753bfe87768ebe6744d869caa92f35e5731", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/700f3a7c7fa5764c9f24bbf7c78e0b6e479fa653", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/88ff021e1fea2d9b40b2d5efd9013c89f7be04ac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" }, { "url": "https://git.kernel.org/stable/c/f3bfac2cabf5333506b263bc0c8497c95302f32d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67" } ] }