oss-sec mailing list archives

CVE request: kernel: issue with O_EXCL creates on NFSv4


From: Eugene Teo <eugeneteo () kernel sg>
Date: Mon, 21 Sep 2009 13:45:31 +0800

There is an issue with O_EXCL creates on NFSv4 that with enough attempts, it is possible for a lingering file from a failed create that is world-writable but only setuid execute as the user who is attempting these creates. Fortunately, root is not susceptible to this bug, so a setuid root file should not be possible. It might be possible to exploit this to gain access as another user though.

In-depth description/reproducer:
https://bugzilla.redhat.com/show_bug.cgi?id=524520#c0

Upstream commits:
http://git.kernel.org/linus/af85852d (fixed in v2.6.19-rc6)
http://git.kernel.org/linus/81ac95c5 (fixed in v2.6.19-rc6)
http://git.kernel.org/linus/79fb54ab (fixed in v2.6.30-rc1)

Thanks, Eugene


Current thread: