AZL-49338

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-49338.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-49338

Upstream

CVE-2024-46695

Published

2024-09-13T06:15:14Z

Modified

2026-04-01T05:16:10.269510Z

Severity

4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

CVE-2024-46695 affecting package kernel for versions less than 5.15.176.3-1

Details

In the Linux kernel, the following vulnerability has been resolved:

selinux,smack: don't bypass permissions check in inode_setsecctx hook

Marek Gresko reports that the root user on an NFS client is able to change the security labels on files on an NFS filesystem that is exported with root squashing enabled.

The end of the kerneldoc comment for __vfssetxattrnoperm() states:

This function requires the caller to lock the inode's i_mutex before it
is executed. It also assumes that the caller will make the appropriate
permission checks.

nfsdsetattr() does do permissions checking via fhverify() and nfsdpermission(), but those don't do all the same permissions checks that are done by securityinode_setxattr() and its related LSM hooks do.

Since nfsdsetattr() is the only consumer of securityinode_setsecctx(), simplest solution appears to be to replace the call to __vfssetxattrnoperm() with a call to __vfssetxattrlocked(). This fixes the above issue and has the added benefit of causing nfsd to recall conflicting delegations on a file when a client tries to change its security label.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-46695

Affected packages

Azure Linux:2 / kernel

Package

Name: kernel
Purl: pkg:rpm/azure-linux/kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.15.176.3-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-49338.json"