CVE-2024-36963

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tracefs: Reset permissions on remount if permissions are options<br /> <br /> There&amp;#39;s an inconsistency with the way permissions are handled in tracefs.<br /> Because the permissions are generated when accessed, they default to the<br /> root inode&amp;#39;s permission if they were never set by the user. If the user<br /> sets the permissions, then a flag is set and the permissions are saved via<br /> the inode (for tracefs files) or an internal attribute field (for<br /> eventfs).<br /> <br /> But if a remount happens that specify the permissions, all the files that<br /> were not changed by the user gets updated, but the ones that were are not.<br /> If the user were to remount the file system with a given permission, then<br /> all files and directories within that file system should be updated.<br /> <br /> This can cause security issues if a file&amp;#39;s permission was updated but the<br /> admin forgot about it. They could incorrectly think that remounting with<br /> permissions set would update all files, but miss some.<br /> <br /> For example:<br /> <br /> # cd /sys/kernel/tracing<br /> # chgrp 1002 current_tracer<br /> # ls -l<br /> [..]<br /> -rw-r----- 1 root root 0 May 1 21:25 buffer_size_kb<br /> -rw-r----- 1 root root 0 May 1 21:25 buffer_subbuf_size_kb<br /> -r--r----- 1 root root 0 May 1 21:25 buffer_total_size_kb<br /> -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer<br /> -rw-r----- 1 root root 0 May 1 21:25 dynamic_events<br /> -r--r----- 1 root root 0 May 1 21:25 dyn_ftrace_total_info<br /> -r--r----- 1 root root 0 May 1 21:25 enabled_functions<br /> <br /> Where current_tracer now has group "lkp".<br /> <br /> # mount -o remount,gid=1001 .<br /> # ls -l<br /> -rw-r----- 1 root tracing 0 May 1 21:25 buffer_size_kb<br /> -rw-r----- 1 root tracing 0 May 1 21:25 buffer_subbuf_size_kb<br /> -r--r----- 1 root tracing 0 May 1 21:25 buffer_total_size_kb<br /> -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer<br /> -rw-r----- 1 root tracing 0 May 1 21:25 dynamic_events<br /> -r--r----- 1 root tracing 0 May 1 21:25 dyn_ftrace_total_info<br /> -r--r----- 1 root tracing 0 May 1 21:25 enabled_functions<br /> <br /> Everything changed but the "current_tracer".<br /> <br /> Add a new link list that keeps track of all the tracefs_inodes which has<br /> the permission flags that tell if the file/dir should use the root inode&amp;#39;s<br /> permission or not. Then on remount, clear all the flags so that the<br /> default behavior of using the root inode&amp;#39;s permission is done for all<br /> files and directories.