2018-11-23 15:20:49 UTC
Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team
found way for an unprivileged user to access a content of a deleted file
of any other users on a file systems with enabled cleancache.
Under certain conditions it may not drop a content of a deleted
file on its last iput(). When a newly created file gets an inode number
of the previously deleted file its read can get the content of the deleted
file saved in cleancache.
For now only Xen's tmem driver registers itself as a backend for cleancache:
$ git grep cleancache_register_ops
drivers/xen/tmem.c: err = cleancache_register_ops(&tmem_cleancache_ops);
mm/cleancache.c:int cleancache_register_ops(const struct cleancache_ops *ops)
This means only Xen's guests with tmem driver active are vulnerable.
Vladis Dronov | Red Hat, Inc. | Product Security Engineer