CVE-2023-52779

fs: Pass AT_GETATTR_NOSEC flag to getattr interface function

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: fs: Pass AT_GETATTR_NOSEC flag to getattr interface function When vfs_getattr_nosec() calls a filesystem's getattr interface function
then the 'nosec' should propagate into this function so that
vfs_getattr_nosec() can again be called from the filesystem's gettattr
rather than vfs_getattr(). The latter would add unnecessary security
checks that the initial vfs_getattr_nosec() call wanted to avoid.
Therefore, introduce the getattr flag GETATTR_NOSEC and allow to pass
with the new getattr_flags parameter to the getattr interface function.
In overlayfs and ecryptfs use this flag to determine which one of the
two functions to call. In a recent code change introduced to IMA vfs_getattr_nosec() ended up
calling vfs_getattr() in overlayfs, which in turn called
security_inode_getattr() on an exiting process that did not have
current->fs set anymore, which then caused a kernel NULL pointer
dereference. With this change the call to security_inode_getattr() can
be avoided, thus avoiding the NULL pointer dereference.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fs: pasar el indicador AT_GETATTR_NOSEC a la función de interfaz getattr. Cuando vfs_getattr_nosec() llama a la función de interfaz getattr de un sistema de archivos, entonces 'nosec' debe propagarse a esta función para que se pueda volver a llamar a vfs_getattr_nosec() desde gettattr del sistema de archivos en lugar de vfs_getattr(). Esto último agregaría controles de seguridad innecesarios que la llamada inicial a vfs_getattr_nosec() quería evitar. Por lo tanto, introduzca el indicador getattr GETATTR_NOSEC y permita pasar con el nuevo parámetro getattr_flags a la función de interfaz getattr. En overlayfs y ecryptfs use este indicador para determinar cuál de las dos funciones llamar. En un cambio de código reciente introducido en IMA, vfs_getattr_nosec() terminó llamando a vfs_getattr() en overlayfs, que a su vez llamó a security_inode_getattr() en un proceso saliente que ya no tenía current->fs configurado, lo que luego provocó una desreferencia del puntero NULL del kernel . Con este cambio se puede evitar la llamada a security_inode_getattr(), evitando así la desreferencia del puntero NULL.

In the Linux kernel, the following vulnerability has been resolved: fs: Pass AT_GETATTR_NOSEC flag to getattr interface function When vfs_getattr_nosec() calls a filesystem's getattr interface function then the 'nosec' should propagate into this function so that vfs_getattr_nosec() can again be called from the filesystem's gettattr rather than vfs_getattr(). The latter would add unnecessary security checks that the initial vfs_getattr_nosec() call wanted to avoid. Therefore, introduce the getattr flag GETATTR_NOSEC and allow to pass with the new getattr_flags parameter to the getattr interface function. In overlayfs and ecryptfs use this flag to determine which one of the two functions to call. In a recent code change introduced to IMA vfs_getattr_nosec() ended up calling vfs_getattr() in overlayfs, which in turn called security_inode_getattr() on an exiting process that did not have current->fs set anymore, which then caused a kernel NULL pointer dereference. With this change the call to security_inode_getattr() can be avoided, thus avoiding the NULL pointer dereference.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-21 CVE Reserved
2024-05-21 CVE Published
2024-12-19 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (3)

URL	Tag	Source
https://git.kernel.org/stable/c/db1d1e8b9867aae5c3e61ad7859abfcc4a6fd6c7	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/3fb0fa08641903304b9d81d52a379ff031dc41d4	2023-12-03
https://git.kernel.org/stable/c/8a924db2d7b5eb69ba08b1a0af46e9f1359a9bdf	2023-11-18

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.6.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.6.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.5 < 6.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.5 < 6.7"		en		Affected