[Kernel-packages] [Bug 1801924] Re: CVE-2018-18955: nested user namespaces with more than five extents incorrectly grant privileges over inode

Tue, 27 Nov 2018 10:55:58 -0800 

** Changed in: linux (Ubuntu Disco)
       Status: Triaged => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1801924

Title:
   CVE-2018-18955: nested user namespaces with more than five extents
  incorrectly grant privileges over inode

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  Fix Committed
Status in linux source package in Disco:
  Fix Committed

Bug description:
  Jann Horn reported that nested user namespaces with more than five
  mappings allow gaining privilege over an inode.

  Here is my write up of how this happens:
  Currently, the forward map and reverse map are copied and sorted at the same 
time before necessary updates to the forward map have been performed. This has 
the consequence that the forward map receives the necessary updates while the 
reverse map does not leaving it with invalid data. Specifically, this means 
that the lower ids of the forward mapping will be correctly mapped to 
appropriate kernel ids, while the lower ids of the reverse mapping will not.

  This breaks inode_owner_or_capable() and privileged_wrt_inode_uidgid()
  which call helpers that need to access the reverse mapping. Thus, a
  process can incorrectly appear to be capable relative to an inode.

  Note that the sorting logic is only triggered when more than five
  extents are specified and when user namespaces are nested. Hence, only
  containers with complex mappings in nested user namespaces are
  affected.

  To fix this issue we need to ensures that the translation happens for
  both the forward and reverse mappings. First, the forward mappings are
  sorted and its lower ids translated into kernel ids. After this the
  forward mapping is copied and into the reverse mapping and the reverse
  mappings sorted.

  A proposed patch is appended here.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1801924/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to