[Kernel-packages] [Bug 1947718] Re: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732
I now tested with newer kernels: The regression is still present in 5.15.0-33-generic from the hwe-edge package for Ubuntu 20.04. I also tested kernels from the Ubuntu Mainline Kernel Archive. It works with 5.13.0-051300-generic and fails with 5.14.0-051400-generic and also still with 5.18.3-051803-generic. So this is consistent with my hypothesis about which commit is the problem. Is there a chance to get this resolved? If I can be of any further help, e.g., by testing more kernel versions, please let me know! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2
[Kernel-packages] [Bug 1947718] Re: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732
This is a kernel regression and now almost three months old. Could somebody please have a look? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU --- ProblemType: Bug AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116,
[Kernel-packages] [Bug 1947718] ProcInterrupts.txt
apport information ** Attachment added: "ProcInterrupts.txt" https://bugs.launchpad.net/bugs/1947718/+attachment/5534264/+files/ProcInterrupts.txt -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU --- ProblemType: Bug AlsaDevices: total 0 crw-rw 1 root audio
[Kernel-packages] [Bug 1947718] ProcCpuinfoMinimal.txt
apport information ** Attachment added: "ProcCpuinfoMinimal.txt" https://bugs.launchpad.net/bugs/1947718/+attachment/5534263/+files/ProcCpuinfoMinimal.txt -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU --- ProblemType: Bug AlsaDevices: total 0 crw-rw 1 root
[Kernel-packages] [Bug 1947718] UdevDb.txt
apport information ** Attachment added: "UdevDb.txt" https://bugs.launchpad.net/bugs/1947718/+attachment/5534266/+files/UdevDb.txt -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU --- ProblemType: Bug AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19
[Kernel-packages] [Bug 1947718] WifiSyslog.txt
apport information ** Attachment added: "WifiSyslog.txt" https://bugs.launchpad.net/bugs/1947718/+attachment/5534267/+files/WifiSyslog.txt ** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU ---
[Kernel-packages] [Bug 1947718] Re: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732
Status set to "Confirmed" as requested by the bot after uploading logs (although I did upload them when creating the issue as well...). -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU --- ProblemType: Bug AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19
[Kernel-packages] [Bug 1947718] Lsusb-v.txt
apport information ** Attachment added: "Lsusb-v.txt" https://bugs.launchpad.net/bugs/1947718/+attachment/5534261/+files/Lsusb-v.txt -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU --- ProblemType: Bug AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19
[Kernel-packages] [Bug 1947718] Lspci-vt.txt
apport information ** Attachment added: "Lspci-vt.txt" https://bugs.launchpad.net/bugs/1947718/+attachment/5534260/+files/Lspci-vt.txt -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU --- ProblemType: Bug AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19
[Kernel-packages] [Bug 1947718] ProcModules.txt
apport information ** Attachment added: "ProcModules.txt" https://bugs.launchpad.net/bugs/1947718/+attachment/5534265/+files/ProcModules.txt -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU --- ProblemType: Bug AlsaDevices: total 0 crw-rw 1 root audio 116, 1
[Kernel-packages] [Bug 1947718] ProcCpuinfo.txt
apport information ** Attachment added: "ProcCpuinfo.txt" https://bugs.launchpad.net/bugs/1947718/+attachment/5534262/+files/ProcCpuinfo.txt -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU --- ProblemType: Bug AlsaDevices: total 0 crw-rw 1 root audio 116, 1
[Kernel-packages] [Bug 1947718] Lspci.txt
apport information ** Attachment added: "Lspci.txt" https://bugs.launchpad.net/bugs/1947718/+attachment/5534259/+files/Lspci.txt -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU --- ProblemType: Bug AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42
[Kernel-packages] [Bug 1947718] Re: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732
apport information ** Tags added: apport-collected ** Description changed: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU + --- + ProblemType: Bug + AlsaDevices: + total 0 + crw-rw 1 root audio 116, 1 Oct 19 04:42 seq + crw-rw 1 root audio 116, 33 Oct 19 04:42 timer + AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' + ApportVersion: 2.20.11-0ubuntu27.20 + Architecture: amd64 + ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' + AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' + CasperMD5CheckResult: skip
[Kernel-packages] [Bug 1947718] [NEW] overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732
Public bug reported: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: New Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the
[Kernel-packages] [Bug 1900141] Re: overlay: permission regression in 5.4.0-51.56 due to patches related to CVE-2020-16120
Thanks! >> I noticed that in the list of affected packages in the bug metadata >> Bionic is not mentioned. Will the fix also be backported there? > > It depends on which kernel you are talking about. The bionic GA kernel > (4.15) was not affected based on my testing. If you are seeing problems > with it, please let me know. 4.15 was not affected indeed. > The bionic HWE kernel is derived from the kernel source in focal, so > that kernel does not need to be fixed separately from the focal kernel. Ok, just wanted to make sure this is the case. Everything is fine for me now. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1900141 Title: overlay: permission regression in 5.4.0-51.56 due to patches related to CVE-2020-16120 Status in linux package in Ubuntu: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Fix Committed Bug description: SRU Justification [Impact] The backports to fix CVE-2020-16120 introduced a regression for overlay mounts within user namespaces. Files with ownership outside of the user namespace can no longer be accessed, even if allowed by both DAC and MAC. This issue is fixed by the following upstream commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b6650dab404c701d7fe08a108b746542a934da84 This commit relaxes the check to remove O_NOATIME from the open flags for the file in the lower filesystem when the overlay filesystem mounter is not privileged with respect to the underlying inode, rather than failing the open as happens now. [Test Case] The attached lp1900141.sh script reproduces the issue. [Where problems could occur] For the most part this patch restores previous behavior of allowing access to these files while keeping the enhanced permission checks towards the lower filesystem to help prevent unauthorized access to file data in the lower filesystem. The one difference in behavior is that files in the lower filesystem may no longer be opened with the O_NOATIME flag, potentially causing atime updates for these files which were not happening before. If any software expects O_NOATIME behavior in this situation then it could cause problems for that software. However, the correct behavior is that only the inode owner or a process with CAP_FOWNER towards the inode owner is allowed to open with O_NOATIME (as documented in open(2)). --- We use unprivileged user namespaces with overlay mounts for containers. After recently upgrading our Focal kernels to 5.4.0-51.56 this breaks, one cannot access files through the overlay mount in the container anymore. This is very likely caused by some of the patches that were added in relation to CVE-2020-16120. The following commands allow to reproduce the problem when executed as an arbitrary non-root user: mkdir /tmp/test /tmp/test/upper /tmp/test/work /tmp/test/usr unshare -m -U -r /bin/sh -c "mount -t overlay none /tmp/test/usr -o lowerdir=/usr,upperdir=/tmp/test/upper,workdir=/tmp/test/work; ls -l /tmp/test/usr/bin/id; file /tmp/test/usr/bin/id; /tmp/test/usr/bin/id" The output when broken is this: -rwxr-xr-x 1 nobody nogroup 47480 Sep 5 2019 /tmp/test/usr/bin/id /tmp/test/usr/bin/id: executable, regular file, no read permission /bin/sh: 1: /tmp/test/usr/bin/id: Operation not permitted The expected output is this: -rwxr-xr-x 1 nobody nogroup 43224 Jan 18 2018 /tmp/test/usr/bin/id /tmp/test/usr/bin/id: ELF 64-bit LSB shared object, ... uid=0(root) gid=0(root) groups=0(root),65534(nogroup) These commands create a user namespace and within it mount an overlay of /usr to /tmp/test/usr and then try to access something in it. This works on Ubuntu Bionic with kernel 4.15.0-121.123 (note that this already includes a fix for CVE-2020-16120) and on kernel 5.4.0-48.52 but is broken on kernel 5.4.0-51.56, no matter whether on Bionic or Focal. So I strongly suspect that not the actual security fixes for CVE-2020-16120 are the cause, but one of the following two patches that according to the changelogs were applied in the same revision but only to 5.4, not to 4.15: ovl: call secutiry hook in ovl_real_ioctl() ovl: check permission to open real file The mail with the announcement (https://www.openwall.com/lists/oss- security/2020/10/13/6) lists these two commits as separate from the actual security fixes ("may be desired or necessary"). Is it possible to revert these two changes or fix them such that our unprivileged containers work again on Ubuntu kernel 5.4? Or is there a workaround that I can add to my container solution such that this use case works again? ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-51-generic 5.4.0-51.56 ProcVersionSignature: User Name
[Kernel-packages] [Bug 1900141] Re: overlay: permission regression in 5.4.0-51.56 due to patches related to CVE-2020-16120
Thanks! I tested it on a Focal machine and the -proposed kernel works. However, I don't have a Groovy machine here, is it necessary for me to test this? I noticed that in the list of affected packages in the bug metadata Bionic is not mentioned. Will the fix also be backported there? ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1900141 Title: overlay: permission regression in 5.4.0-51.56 due to patches related to CVE-2020-16120 Status in linux package in Ubuntu: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Fix Committed Bug description: SRU Justification [Impact] The backports to fix CVE-2020-16120 introduced a regression for overlay mounts within user namespaces. Files with ownership outside of the user namespace can no longer be accessed, even if allowed by both DAC and MAC. This issue is fixed by the following upstream commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b6650dab404c701d7fe08a108b746542a934da84 This commit relaxes the check to remove O_NOATIME from the open flags for the file in the lower filesystem when the overlay filesystem mounter is not privileged with respect to the underlying inode, rather than failing the open as happens now. [Test Case] The attached lp1900141.sh script reproduces the issue. [Where problems could occur] For the most part this patch restores previous behavior of allowing access to these files while keeping the enhanced permission checks towards the lower filesystem to help prevent unauthorized access to file data in the lower filesystem. The one difference in behavior is that files in the lower filesystem may no longer be opened with the O_NOATIME flag, potentially causing atime updates for these files which were not happening before. If any software expects O_NOATIME behavior in this situation then it could cause problems for that software. However, the correct behavior is that only the inode owner or a process with CAP_FOWNER towards the inode owner is allowed to open with O_NOATIME (as documented in open(2)). --- We use unprivileged user namespaces with overlay mounts for containers. After recently upgrading our Focal kernels to 5.4.0-51.56 this breaks, one cannot access files through the overlay mount in the container anymore. This is very likely caused by some of the patches that were added in relation to CVE-2020-16120. The following commands allow to reproduce the problem when executed as an arbitrary non-root user: mkdir /tmp/test /tmp/test/upper /tmp/test/work /tmp/test/usr unshare -m -U -r /bin/sh -c "mount -t overlay none /tmp/test/usr -o lowerdir=/usr,upperdir=/tmp/test/upper,workdir=/tmp/test/work; ls -l /tmp/test/usr/bin/id; file /tmp/test/usr/bin/id; /tmp/test/usr/bin/id" The output when broken is this: -rwxr-xr-x 1 nobody nogroup 47480 Sep 5 2019 /tmp/test/usr/bin/id /tmp/test/usr/bin/id: executable, regular file, no read permission /bin/sh: 1: /tmp/test/usr/bin/id: Operation not permitted The expected output is this: -rwxr-xr-x 1 nobody nogroup 43224 Jan 18 2018 /tmp/test/usr/bin/id /tmp/test/usr/bin/id: ELF 64-bit LSB shared object, ... uid=0(root) gid=0(root) groups=0(root),65534(nogroup) These commands create a user namespace and within it mount an overlay of /usr to /tmp/test/usr and then try to access something in it. This works on Ubuntu Bionic with kernel 4.15.0-121.123 (note that this already includes a fix for CVE-2020-16120) and on kernel 5.4.0-48.52 but is broken on kernel 5.4.0-51.56, no matter whether on Bionic or Focal. So I strongly suspect that not the actual security fixes for CVE-2020-16120 are the cause, but one of the following two patches that according to the changelogs were applied in the same revision but only to 5.4, not to 4.15: ovl: call secutiry hook in ovl_real_ioctl() ovl: check permission to open real file The mail with the announcement (https://www.openwall.com/lists/oss- security/2020/10/13/6) lists these two commits as separate from the actual security fixes ("may be desired or necessary"). Is it possible to revert these two changes or fix them such that our unprivileged containers work again on Ubuntu kernel 5.4? Or is there a workaround that I can add to my container solution such that this use case works again? ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-51-generic 5.4.0-51.56 ProcVersionSignature: User Name 5.4.0-51.56-generic 5.4.65 Uname: Linux 5.4.0-51-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 14 04:48 seq crw-rw 1 root audio 116, 33 Oct 14 04:48 timer AplayDevices:
[Kernel-packages] [Bug 1900141] Re: overlay: permission regression in 5.4.0-51.56 due to patches related to CVE-2020-16120
I noticed that the changelog of the kernel package 5.4.0-50.55~18.04.1 for Bionic now also includes the two additional patches, and indeed I can confirm that on Bionic with kernel 5.4.0-54-generic the regression was now also introduced. Is there an update whether it will be possible to solve this regression? It breaks our container runtime unfortunately. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1900141 Title: overlay: permission regression in 5.4.0-51.56 due to patches related to CVE-2020-16120 Status in linux package in Ubuntu: In Progress Bug description: We use unprivileged user namespaces with overlay mounts for containers. After recently upgrading our Focal kernels to 5.4.0-51.56 this breaks, one cannot access files through the overlay mount in the container anymore. This is very likely caused by some of the patches that were added in relation to CVE-2020-16120. The following commands allow to reproduce the problem when executed as an arbitrary non-root user: mkdir /tmp/test /tmp/test/upper /tmp/test/work /tmp/test/usr unshare -m -U -r /bin/sh -c "mount -t overlay none /tmp/test/usr -o lowerdir=/usr,upperdir=/tmp/test/upper,workdir=/tmp/test/work; ls -l /tmp/test/usr/bin/id; file /tmp/test/usr/bin/id; /tmp/test/usr/bin/id" The output when broken is this: -rwxr-xr-x 1 nobody nogroup 47480 Sep 5 2019 /tmp/test/usr/bin/id /tmp/test/usr/bin/id: executable, regular file, no read permission /bin/sh: 1: /tmp/test/usr/bin/id: Operation not permitted The expected output is this: -rwxr-xr-x 1 nobody nogroup 43224 Jan 18 2018 /tmp/test/usr/bin/id /tmp/test/usr/bin/id: ELF 64-bit LSB shared object, ... uid=0(root) gid=0(root) groups=0(root),65534(nogroup) These commands create a user namespace and within it mount an overlay of /usr to /tmp/test/usr and then try to access something in it. This works on Ubuntu Bionic with kernel 4.15.0-121.123 (note that this already includes a fix for CVE-2020-16120) and on kernel 5.4.0-48.52 but is broken on kernel 5.4.0-51.56, no matter whether on Bionic or Focal. So I strongly suspect that not the actual security fixes for CVE-2020-16120 are the cause, but one of the following two patches that according to the changelogs were applied in the same revision but only to 5.4, not to 4.15: ovl: call secutiry hook in ovl_real_ioctl() ovl: check permission to open real file The mail with the announcement (https://www.openwall.com/lists/oss- security/2020/10/13/6) lists these two commits as separate from the actual security fixes ("may be desired or necessary"). Is it possible to revert these two changes or fix them such that our unprivileged containers work again on Ubuntu kernel 5.4? Or is there a workaround that I can add to my container solution such that this use case works again? ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-51-generic 5.4.0-51.56 ProcVersionSignature: User Name 5.4.0-51.56-generic 5.4.65 Uname: Linux 5.4.0-51-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 14 04:48 seq crw-rw 1 root audio 116, 33 Oct 14 04:48 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.9 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Fri Oct 16 13:02:32 2020 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-51-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-51-generic N/A linux-backports-modules-5.4.0-51-generic N/A linux-firmware1.187.3 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org dmi.chassis.type: 1
[Kernel-packages] [Bug 1900141] [NEW] overlay: permission regression in 5.4.0-51.56 due to patches related to CVE-2020-16120
Public bug reported: We use unprivileged user namespaces with overlay mounts for containers. After recently upgrading our Focal kernels to 5.4.0-51.56 this breaks, one cannot access files through the overlay mount in the container anymore. This is very likely caused by some of the patches that were added in relation to CVE-2020-16120. The following commands allow to reproduce the problem when executed as an arbitrary non-root user: mkdir /tmp/test /tmp/test/upper /tmp/test/work /tmp/test/usr unshare -m -U -r /bin/sh -c "mount -t overlay none /tmp/test/usr -o lowerdir=/usr,upperdir=/tmp/test/upper,workdir=/tmp/test/work; ls -l /tmp/test/usr/bin/id; file /tmp/test/usr/bin/id; /tmp/test/usr/bin/id" The output when broken is this: -rwxr-xr-x 1 nobody nogroup 47480 Sep 5 2019 /tmp/test/usr/bin/id /tmp/test/usr/bin/id: executable, regular file, no read permission /bin/sh: 1: /tmp/test/usr/bin/id: Operation not permitted The expected output is this: -rwxr-xr-x 1 nobody nogroup 43224 Jan 18 2018 /tmp/test/usr/bin/id /tmp/test/usr/bin/id: ELF 64-bit LSB shared object, ... uid=0(root) gid=0(root) groups=0(root),65534(nogroup) These commands create a user namespace and within it mount an overlay of /usr to /tmp/test/usr and then try to access something in it. This works on Ubuntu Bionic with kernel 4.15.0-121.123 (note that this already includes a fix for CVE-2020-16120) and on kernel 5.4.0-48.52 but is broken on kernel 5.4.0-51.56, no matter whether on Bionic or Focal. So I strongly suspect that not the actual security fixes for CVE-2020-16120 are the cause, but one of the following two patches that according to the changelogs were applied in the same revision but only to 5.4, not to 4.15: ovl: call secutiry hook in ovl_real_ioctl() ovl: check permission to open real file The mail with the announcement (https://www.openwall.com/lists/oss- security/2020/10/13/6) lists these two commits as separate from the actual security fixes ("may be desired or necessary"). Is it possible to revert these two changes or fix them such that our unprivileged containers work again on Ubuntu kernel 5.4? Or is there a workaround that I can add to my container solution such that this use case works again? ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-51-generic 5.4.0-51.56 ProcVersionSignature: User Name 5.4.0-51.56-generic 5.4.65 Uname: Linux 5.4.0-51-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 14 04:48 seq crw-rw 1 root audio 116, 33 Oct 14 04:48 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.9 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Fri Oct 16 13:02:32 2020 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-51-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-51-generic N/A linux-backports-modules-5.4.0-51-generic N/A linux-firmware1.187.3 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.0 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.0:cvnQEMU:ct1:cvrpc-i440fx-5.0: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.0 dmi.sys.vendor: QEMU ** Affects: linux (Ubuntu) Importance: Undecided Status: Confirmed ** Tags: amd64 apport-bug focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1900141 Title: overlay: permission regression in 5.4.0-51.56 due to patches related to CVE-2020-16120 Status in linux package in Ubuntu: Confirmed Bug description: We use unprivileged user namespaces with overlay mounts
[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
Tyler, thanks for the clarification. I have tested it with 4.15.0-42-generic from bionic-proposed and can confirm it is fixed. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission denied /bin/ls: cannot access '/root/.gnupg': Permission denied /bin/ls: cannot access '/root/.aptitude': Permission denied /bin/ls: cannot access '/root/.bash_history': Permission denied /bin/ls: cannot access '/root/.profile': Permission denied /bin/ls: cannot access '/root/.hplip': Permission denied total 8 drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 . drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .. d? ? ? ? ?? .aptitude -? ? ? ? ?? .bash_history -? ? ? ? ?? .bashrc d? ? ? ? ?? .cache d? ? ? ? ?? .gnupg d? ? ? ? ?? .hplip -? ? ? ? ?? .profile d? ? ? ? ?? snap ``` The script also has some comments that explain the necessary steps in more details. I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug probably affects all Ubuntu versions of the last years. Other distributions and the vanilla kernel should not be affected because AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces. But of course it would be good to apply a potential fix upstream. So far I did not succeed in doing more than leaking the directory content, but of course that is no guarantee that it is not possible to do worse things. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-34-generic 4.15.0-34.37 ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18 Uname: Linux 4.15.0-34-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.3 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC1: wendler3414 F pulseaudio /dev/snd/controlC0: wendler3414 F pulseaudio CurrentDesktop: Unity:Unity7:ubuntu Date: Thu Sep 20 08:56:01 2018 HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062 InstallationDate: Installed on 2016-12-12 (646 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) MachineType: LENOVO 20FXS1B700 ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-34-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash resume=/dev/mapper/ubuntu--vg-swap_1 swapaccount=1 RelatedPackageVersions: linux-restricted-modules-4.15.0-34-generic N/A linux-backports-modules-4.15.0-34-generic N/A linux-firmware 1.173.1 SourcePackage: linux UpgradeStatus: Upgraded to bionic on 2018-09-04 (15 days ago) dmi.bios.date: 09/26/2016 dmi.bios.vendor: LENOVO dmi.bios.version: R07ET71W (2.11 ) dmi.board.asset.tag: Not Available dmi.board.name: 20FXS1B700 dmi.board.vendor: LENOVO dmi.board.version: SDK0J40697 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.modalias:
[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
I find the demand to test the fix within 5 days, combined with the threat of dropping the patch otherwise, unreasonable. In my original report of this security problem I have already provided a script that allows to reproduce the problem and check if it still exists. Requiring an answer within 5 days is too short, after all people can be on holiday or just busy for other reasons. And even if I as the original submitter wouldn't respond at all, this is a real security problem in Ubuntu that was already confirmed. Are you really going to drop the patch and let CVE-2018-6559 stay unfixed forever? Maybe I will find the time to test it on Bionic, but I will certainly not install a different version of Ubuntu than the one I am currently running. I hope that this is all just a misunderstanding and the message does not apply to security problems. In this case please consider changing the message or improving the process such that this confusion will be avoided for future reports. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission denied /bin/ls: cannot access '/root/.gnupg': Permission denied /bin/ls: cannot access '/root/.aptitude': Permission denied /bin/ls: cannot access '/root/.bash_history': Permission denied /bin/ls: cannot access '/root/.profile': Permission denied /bin/ls: cannot access '/root/.hplip': Permission denied total 8 drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 . drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .. d? ? ? ? ?? .aptitude -? ? ? ? ?? .bash_history -? ? ? ? ?? .bashrc d? ? ? ? ?? .cache d? ? ? ? ?? .gnupg d? ? ? ? ?? .hplip -? ? ? ? ?? .profile d? ? ? ? ?? snap ``` The script also has some comments that explain the necessary steps in more details. I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug probably affects all Ubuntu versions of the last years. Other distributions and the vanilla kernel should not be affected because AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces. But of course it would be good to apply a potential fix upstream. So far I did not succeed in doing more than leaking the directory content, but of course that is no guarantee that it is not possible to do worse things. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-34-generic 4.15.0-34.37 ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18 Uname: Linux 4.15.0-34-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.3 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC1: wendler3414 F pulseaudio /dev/snd/controlC0: wendler3414 F pulseaudio CurrentDesktop: Unity:Unity7:ubuntu Date: Thu Sep 20 08:56:01 2018 HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062 InstallationDate: Installed on 2016-12-12 (646 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) MachineType: LENOVO 20FXS1B700 ProcFB: 0 inteldrmfb ProcKernelCmdLine:
[Kernel-packages] [Bug 1566471] Re: kernel oops: NULL pointer dereference in nfs_inode_attach_open_context+0x37/0x70 [nfs]
I tested 4.4.0-22.38_amd64 on Ubuntu 14.04 with an overlay over an NFS4 mount (same situation as in comment #7) and the crash when reading existing files from the lower layer is gone. I did not test overlay over NFS3. I still cannot successfully write to files that exist in the lower layer ("Operation not supported"), only to new files, but I guess this is not in the scope of this bug report. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1566471 Title: kernel oops: NULL pointer dereference in nfs_inode_attach_open_context+0x37/0x70 [nfs] Status in linux package in Ubuntu: Incomplete Status in linux-lts-xenial package in Ubuntu: Confirmed Bug description: I'm attempting to boot a Xenial server install (created from debootstrap) via NFS with overlayroot so that the initial rootfs is read-only (via NFS) and all modifications are written to a tmpfs so that I can boot many such machines. The kernel oops occurs during run- init after the initramfs has successfully mounted the NFS rootfs, created the tmpfs, and the overlayfs using both. If I do not use overlayfs, and just boot into the NFS root (read-write), then everything works. Note that the following oops was gathered from a qemu virtual machine that I netbooted, though the apport output was from real hardware. The issue occurs in both cases. Please let me know if I can provide more information. + exec run-init /root /sbin/init [9.003288] BUG: unable to handle kernel NULL pointer dereference at 0008 [9.005772] IP: [] nfs_inode_attach_open_context+0x37/0x70 [nfs] [9.007227] PGD 0 [9.007227] Oops: 0002 [#1] SMP [9.007227] Modules linked in: overlay nfsv3 nfs_acl nfs lockd grace sunrpc fscache raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd psmouse floppy pata_acpi [9.007227] CPU: 0 PID: 1 Comm: init Not tainted 4.4.0-16-generic #32-Ubuntu [9.007227] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 [9.007227] task: 88013ab8 ti: 88013ab88000 task.ti: 88013ab88000 [9.007227] RIP: 0010:[] [] nfs_inode_attach_open_context+0x37/0x70 [nfs] [9.007227] RSP: 0018:88013ab8bc30 EFLAGS: 00010246 [9.007227] RAX: 88007fa86d30 RBX: 8800bba16000 RCX: 0002 [9.007227] RDX: RSI: 88007fa86cc0 RDI: 8800bba16088 [9.007227] RBP: 88013ab8bc48 R08: 88007f09e09c R09: 88013b001800 [9.007227] R10: 88007fa86cc0 R11: R12: 88007fa86cc0 [9.007227] R13: 8800bba16088 R14: 8800bb9f7d88 R15: 88013a52f010 [9.007227] FS: () GS:88013fc0() knlGS: [9.007227] CS: 0010 DS: ES: CR0: 80050033 [9.007227] CR2: 0008 CR3: 00013a53 CR4: 001406f0 [9.007227] Stack: [9.007227] 88007fa86cc0 88013a52f000 8800bb9f7d88 88013ab8bc58 [9.007227] c01d153b 88013ab8bc80 c01d3d37 88013a52f000 [9.007227] 8800bb9f7d88 88013ab8bca0 c01d010d [9.007227] Call Trace: [9.007227] [] nfs_file_set_open_context+0x2b/0x30 [nfs] [9.007227] [] nfs_open+0x37/0x60 [nfs] [9.007227] [] nfs_file_open+0x4d/0x70 [nfs] [9.007227] [] do_dentry_open+0x1ff/0x310 [9.007227] [] ? nfs_file_fsync+0x130/0x130 [nfs] [9.007227] [] vfs_open+0x56/0x60 [9.007227] [] path_openat+0x1b7/0x1360 [9.007227] [] do_filp_open+0x91/0x100 [9.007227] [] ? __alloc_fd+0xc8/0x190 [9.007227] [] do_sys_open+0x13e/0x2a0 [9.007227] [] ? __put_cred+0x3d/0x50 [9.007227] [] ? SyS_access+0x1e8/0x230 [9.007227] [] SyS_open+0x1e/0x20 [9.007227] [] entry_SYSCALL_64_fastpath+0x16/0x71 [9.007227] Code: 54 53 48 8b 47 40 49 89 fc 48 8b 58 30 4c 8d ab 88 00 00 00 4c 89 ef e8 98 37 65 c1 48 8b 93 60 ff ff ff 49 8d 44 24 70 4c 89 ef <48> 89 42 08 49 89 54 24 70 48 8d 93 60 ff ff ff 49 89 54 24 78 [9.007227] RIP [] nfs_inode_attach_open_context+0x37/0x70 [nfs] [9.007227] RSP [9.007227] CR2: 0008 [9.056135] ---[ end trace 4bf38e0df912649a ]--- [9.057055] BUG: unable to handle kernel NULL pointer dereference at 0158 [9.058345] IP: [] __put_nfs_open_context+0xa0/0x100 [nfs] [9.059479] PGD 0 [9.059823] Oops: [#2] SMP [9.060117] Modules linked in: overlay nfsv3 nfs_acl nfs lockd grace sunrpc fscache raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1
[Kernel-packages] [Bug 1566471] Re: kernel oops: NULL pointer dereference in nfs_inode_attach_open_context+0x37/0x70 [nfs]
I also experience this problem using the Xenial kernel 4.4.0-18.34~14.04.1 on Ubuntu 14.04. I can even reproduce it as a non-root user by creating an overlay mount inside a user namespace. After mounting an overlay over an NFS mount, I can successfully traverse existing directories and create, write, read, and remove new files. As soon as I try to read an existing file (from the lower layer NFS mount), the application that attempts the read dies and the syslog shows the kernel bug. The system continues running afterwards. Furthermore, a similar crash occurs for NFS 4 mounts: Apr 13 09:49:20 tortuga kernel: [ 4611.794037] BUG: unable to handle kernel NULL pointer dereference at 0160 Apr 13 09:49:20 tortuga kernel: [ 4611.794144] IP: [] nfs4_file_open+0xcd/0x1d0 [nfsv4] Apr 13 09:49:20 tortuga kernel: [ 4611.794202] PGD 414777067 PUD 302045067 PMD 0 Apr 13 09:49:20 tortuga kernel: [ 4611.794233] Oops: [#1] SMP Apr 13 09:49:20 tortuga kernel: [ 4611.794255] Modules linked in: overlay rpcsec_gss_krb5 nfsv4 ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_CHECKSUM iptable_mangle xt_tcpudp ip6table_filter ip6_tables iptable_filter ip_tables ebtable_nat ebtables x_tables autofs4 bridge stp llc bnep rfcomm bluetooth nfsd auth_rpcgss nfs_acl nfs binfmt_misc lockd grace sunrpc fscache dm_crypt input_leds joydev snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel snd_hda_codec hid_generic snd_hda_core snd_hwdep intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp dcdbas snd_pcm kvm_intel snd_seq_midi snd_seq_midi_event kvm snd_rawmidi usbhid dm_multipath hid snd_seq snd_seq_device irqbypass crct10dif_pclmul snd_timer crc32_pclmul serio_raw snd aesni_intel mei_me aes_x86_64 soundcore lrw gf128mul mei glue_helper ablk_helper shpchp cryptd ppdev msr lpc_ich cpuid pa rport_pc 8250_fintek mac_hid lp parport amdkfd amd_iommu_v2 radeon i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops e1000e drm ahci psmouse ptp libahci pps_core fjes video [last unloaded: ipmi_msghandler] Apr 13 09:49:20 tortuga kernel: [ 4611.794983] CPU: 4 PID: 14306 Comm: cat Not tainted 4.4.0-18-generic #34~14.04.1-Ubuntu Apr 13 09:49:20 tortuga kernel: [ 4611.795027] Hardware name: Dell Inc. OptiPlex 790/0HY9JP, BIOS A07 09/10/2011 Apr 13 09:49:20 tortuga kernel: [ 4611.795067] task: 8800a9822940 ti: 8803e9d3 task.ti: 8803e9d3 Apr 13 09:49:20 tortuga kernel: [ 4611.795108] RIP: 0010:[] [] nfs4_file_open+0xcd/0x1d0 [nfsv4] Apr 13 09:49:20 tortuga kernel: [ 4611.795171] RSP: 0018:8803e9d33c18 EFLAGS: 00010246 Apr 13 09:49:20 tortuga kernel: [ 4611.795200] RAX: RBX: 8803e7d78700 RCX: 8803e9d33c38 Apr 13 09:49:20 tortuga kernel: [ 4611.795239] RDX: 8000 RSI: 8803f09a8540 RDI: 88041873a148 Apr 13 09:49:20 tortuga kernel: [ 4611.795278] RBP: 8803e9d33cb0 R08: R09: 88041cc03800 Apr 13 09:49:20 tortuga kernel: [ 4611.795317] R10: c06c9230 R11: ea000f9f5e00 R12: Apr 13 09:49:20 tortuga kernel: [ 4611.795356] R13: 880317e9b680 R14: R15: 88041873a148 Apr 13 09:49:20 tortuga kernel: [ 4611.795396] FS: 7f8678c77740() GS:88041d30() knlGS: Apr 13 09:49:20 tortuga kernel: [ 4611.795440] CS: 0010 DS: ES: CR0: 80050033 Apr 13 09:49:20 tortuga kernel: [ 4611.795472] CR2: 0160 CR3: 000374f2b000 CR4: 000406e0 Apr 13 09:49:20 tortuga kernel: [ 4611.795510] Stack: Apr 13 09:49:20 tortuga kernel: [ 4611.795523] 8803850868f0 8000 880317d39740 8803f09a8540 Apr 13 09:49:20 tortuga kernel: [ 4611.795568] 88038000 0001 8803850868f0 Apr 13 09:49:20 tortuga kernel: [ 4611.795612] 8803850868f0 8803e7d78700 8803e7d78710 Apr 13 09:49:20 tortuga kernel: [ 4611.795656] Call Trace: Apr 13 09:49:20 tortuga kernel: [ 4611.795677] [] do_dentry_open+0x227/0x320 Apr 13 09:49:20 tortuga kernel: [ 4611.795720] [] ? nfs4_file_fsync+0x180/0x180 [nfsv4] Apr 13 09:49:20 tortuga kernel: [ 4611.795757] [] vfs_open+0x57/0x60 Apr 13 09:49:20 tortuga kernel: [ 4611.795787] [] path_openat+0x1ad/0x1310 Apr 13 09:49:20 tortuga kernel: [ 4611.795820] [] do_filp_open+0x7e/0xd0 Apr 13 09:49:20 tortuga kernel: [ 4611.795852] [] ? cp_new_stat+0x13d/0x160 Apr 13 09:49:20 tortuga kernel: [ 4611.795885] [] ? __alloc_fd+0x46/0x180 Apr 13 09:49:20 tortuga kernel: [ 4611.795916] [] do_sys_open+0x129/0x270 Apr 13 09:49:20 tortuga kernel: [ 4611.795947] [] SyS_open+0x1e/0x20 Apr 13 09:49:20 tortuga kernel: [ 4611.795978] [] entry_SYSCALL_64_fastpath+0x16/0x75 Apr 13 09:49:20 tortuga kernel: [ 4611.796013] Code: 00 00 49 8b 47 28 45 31 c0 48 8d 4d 88 8b 95
[Kernel-packages] [Bug 1531747] Re: overlay: mkdir fails if directory exists in lowerdir in a user namespace
** Also affects: linux-lts-wily (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1531747 Title: overlay: mkdir fails if directory exists in lowerdir in a user namespace Status in linux package in Ubuntu: Triaged Status in linux-lts-wily package in Ubuntu: New Status in linux source package in Wily: Triaged Status in linux-lts-wily source package in Wily: New Status in linux source package in Xenial: Triaged Status in linux-lts-wily source package in Xenial: New Bug description: If a directory exists in the lowerdir but not in the mounted overlay, then mkdir of the directory in the target dir results in a mysterious -EPERM. I've seen this both in wily kernel (4.2.0-22-generic #27-Ubuntu) and in a hand-built xenial master-next (with unrelated patches added). = #!/bin/sh -ex dir=`mktemp -d` cleanup() { umount -l $dir/t rm -rf $dir } trap cleanup EXIT echo "dir is $dir" mkdir -p $dir/l $dir/u $dir/w $dir/t mkdir $dir/l/dev mount -t overlay -o lowerdir=$dir/l,upperdir=$dir/u,workdir=$dir/w o $dir/t stat $dir/t/dev rmdir $dir/t/dev mkdir $dir/t/dev echo $? echo "mkdir should have succeeded" = The above will work on the host, but fail in a user namespace, i.e in a regular lxd container. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1531747/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp