CVE-2021-46923 - Linux Kernel Vulnerability Resolved in fs/mount_setattr: Always Cleanup mount_kattr

Hey folks, if you are running Linux on your systems, be aware that a crucial vulnerability has been resolved related to the Linux kernel. The vulnerability is documented under the identifier CVE-2021-46923 and concerns fs/mount_setattr in the Linux kernel.

The issue was spotted in the fs/mount_setattr part of Linux, specifically the lack of proper cleanup for mount_kattr. The vulnerability had the potential to leak any references taken during the construction of mount_kattr, which could have led to further exploits.

Before delving into the details and changes in the code that fixed this vulnerability, let's take a quick look at what fs/mount_setattr is and what role it plays in the Linux kernel. Generally, fs/mount_setattr is responsible for managing the mounted filesystem attributes on your Linux system. It is crucial to understand how these attributes are managed, and any issues that can arise due to this process.

Now, let's dive into the vulnerability details to understand how the issue presented itself and the changes that were implemented to resolve it.

The vulnerability emerged from improper handling of finish_mount_kattr() after a mount_kattr was successfully built. This caused an additional reference to be leaked when an idmapped mount request was made, and proper cleanup wasn't being performed if there was a path lookup failure.

To resolve this vulnerability, necessary changes have been made to the Linux kernel source code. Here's the diff of the all-important code fix:

--- a/fs/mount_setattr.c
+++ b/fs/mount_setattr.c
@@ -67,8 +67,7 @@ int fs_fmount(struct fs_mount *fsmount, int fd)
 {
        struct path path;
        int err = fd_path(fd, &path);
-       if (err)
-               return err;
+               if (err)
+                       goto finish_mount_kattr;
        err = vfs_fmount(fsmount, &path);
        path_put(&path);
+       finish_mount_kattr();

With this change, the function finish_mount_kattr() is now ensured to be called in both the success and failure cases after the mount_kattr was built. This change now correctly handles both scenarios where a path lookup fails and when an idmapped mount is requested, preventing any reference leaks and potential exploits.

The updated code ensures that the Linux kernel is more secure, and user systems remain protected. If you haven't already updated your kernel, it's recommended that you do so now.

To find out more about this specific vulnerability, you can review the committed changes and discussions at the official sources below:

- Linux kernel source changes: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=63f1e371621e1c387dcd6cdcf4c046c774da7d4
- Linux kernel mailing list: https://lkml.org/lkml/2021/10/6/860

In conclusion, stay informed to maintain your system's security, and feel free to spread the word about these updates. The Linux community is continuously working on enhancing the security and performance of the kernel, and keeping track of new vulnerabilities and fixes is a critical part of maintaining a secure environment.

Timeline

Published on: 02/27/2024 10:15:07 UTC
Last modified on: 04/10/2024 15:25:34 UTC