Vladis Dronov
2018-11-23 15:20:49 UTC
Heololo,
Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team
found way for an unprivileged user to access a content of a deleted file
of any other users on a file systems with enabled cleancache.
Under certain conditions it may not drop a content of a deleted
file on its last iput(). When a newly created file gets an inode number
of the previously deleted file its read can get the content of the deleted
file saved in cleancache.
For now only Xen's tmem driver registers itself as a backend for cleancache:
$ git grep cleancache_register_ops
...
drivers/xen/tmem.c: err = cleancache_register_ops(&tmem_cleancache_ops);
mm/cleancache.c:int cleancache_register_ops(const struct cleancache_ops *ops)
This means only Xen's guests with tmem driver active are vulnerable.
References:
https://lore.kernel.org/patchwork/patch/1011367/
https://bugzilla.redhat.com/show_bug.cgi?id=1649017
Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team
found way for an unprivileged user to access a content of a deleted file
of any other users on a file systems with enabled cleancache.
Under certain conditions it may not drop a content of a deleted
file on its last iput(). When a newly created file gets an inode number
of the previously deleted file its read can get the content of the deleted
file saved in cleancache.
For now only Xen's tmem driver registers itself as a backend for cleancache:
$ git grep cleancache_register_ops
...
drivers/xen/tmem.c: err = cleancache_register_ops(&tmem_cleancache_ops);
mm/cleancache.c:int cleancache_register_ops(const struct cleancache_ops *ops)
This means only Xen's guests with tmem driver active are vulnerable.
References:
https://lore.kernel.org/patchwork/patch/1011367/
https://bugzilla.redhat.com/show_bug.cgi?id=1649017
Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer