Description

In the Linux kernel, the following vulnerability has been resolved: fsverity: reject FS_IOC_ENABLE_VERITY on mode 3 fds Commit 56124d6c87fd ("fsverity: support enabling with tree block size < PAGE_SIZE") changed FS_IOC_ENABLE_VERITY to use __kernel_read() to read the file's data, instead of direct pagecache accesses. An unintended consequence of this is that the 'WARN_ON_ONCE(!(file->f_mode & FMODE_READ))' in __kernel_read() became reachable by fuzz tests. This happens if FS_IOC_ENABLE_VERITY is called on a fd opened with access mode 3, which means "ioctl access only". Arguably, FS_IOC_ENABLE_VERITY should work on ioctl-only fds. But ioctl-only fds are a weird Linux extension that is rarely used and that few people even know about. (The documentation for FS_IOC_ENABLE_VERITY even specifically says it requires O_RDONLY.) It's probably not worthwhile to make the ioctl internally open a new fd just to handle this case. Thus, just reject the ioctl on such fds for now.

Affected Products 1

References 2

• git.kernel.org https://git.kernel.org/stable/c/04839139213cf60d4c5fc792214a08830e294ff8
  Patch
• git.kernel.org https://git.kernel.org/stable/c/85c039cff3c359967cafe90443c02321e950b216
  Patch

Remediation

• git.kernel.org https://git.kernel.org/stable/c/04839139213cf60d4c5fc792214a08830e294ff8
  Patch
• git.kernel.org https://git.kernel.org/stable/c/85c039cff3c359967cafe90443c02321e950b216
  Patch