CVE-2024-43882 Information

Description

In the Linux kernel the following vulnerability has been resolved:

exec: Fix ToCToU between perm check and set-uid/gid usage

When opening a file for exec via do_filp_open() permission checking is done against the file’s metadata at that moment and on success a file pointer is passed back. Much later in the execve() code path the file metadata (specifically mode uid and gid) is used to determine if/how to set the uid and gid. However those values may have changed since the permissions check meaning the execution may gain unintended privileges.

For example if a file could change permissions from executable and not set-id:

———x 1 root root 16048 Aug 7 13:16 target

to set-id and non-executable:

S—— 1 root root 16048 Aug 7 13:16 target

it is possible to gain root privileges when execution should have been disallowed.

While this race condition is rare in real-world scenarios it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example ## Reference https://git.kernel.org/stable/c/d5c3c7e26275a2d83b894d30f7582a42853a958f https://git.kernel.org/stable/c/368f6985d46657b8b466a421dddcacd4051f7ada https://git.kernel.org/stable/c/15469d46ba34559bfe7e3de6659115778c624759 https://git.kernel.org/stable/c/9b424c5d4130d56312e2a3be17efb0928fec4d64 https://git.kernel.org/stable/c/f6cfc6bcfd5e1cf76115b6450516ea4c99897ae1 https://git.kernel.org/stable/c/d2a2a4714d80d09b0f8eb6438ab4224690b7121e https://git.kernel.org/stable/c/90dfbba89ad4f0d9c9744ecbb1adac4aa2ff4f3e https://git.kernel.org/stable/c/f50733b45d865f91db90919f8311e2127ce5a0cb