[Kernel-packages] [Bug 1947718] Re: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732
I now tested with newer kernels: The regression is still present in 5.15.0-33-generic from the hwe-edge package for Ubuntu 20.04. I also tested kernels from the Ubuntu Mainline Kernel Archive. It works with 5.13.0-051300-generic and fails with 5.14.0-051400-generic and also still with 5.18.3-051803-generic. So this is consistent with my hypothesis about which commit is the problem. Is there a chance to get this resolved? If I can be of any further help, e.g., by testing more kernel versions, please let me know! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2
[Kernel-packages] [Bug 1947718] Re: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732
This is a kernel regression and now almost three months old. Could somebody please have a look? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU --- ProblemType: Bug AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116,
[Kernel-packages] [Bug 1947718] Re: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732
Status set to "Confirmed" as requested by the bot after uploading logs (although I did upload them when creating the issue as well...). -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947718 Title: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732 Status in linux package in Ubuntu: Confirmed Bug description: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU --- ProblemType: Bug AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19
[Kernel-packages] [Bug 1947718] Re: overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732
apport information ** Tags added: apport-collected ** Description changed: Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works. An easy way to test this is the following command: mkdir /tmp/test /tmp/test/upper /tmp/test/work unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work On an older kernel, this works and outputs nothing. On the affected kernels, it outputs mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error. I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this). My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels. Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior. My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.) ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-89-generic 5.4.0-89.100 ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143 Uname: Linux 5.4.0-89-generic x86_64 AlsaDevices: total 0 crw-rw 1 root audio 116, 1 Oct 19 04:42 seq crw-rw 1 root audio 116, 33 Oct 19 04:42 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.20.11-0ubuntu27.20 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' CasperMD5CheckResult: skip CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted Date: Tue Oct 19 12:15:01 2021 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' Lsusb: Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Lsusb-t: /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=screen-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=C.UTF-8 SHELL=/bin/bash ProcFB: 0 bochs-drmdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0 RelatedPackageVersions: linux-restricted-modules-5.4.0-89-generic N/A linux-backports-modules-5.4.0-89-generic N/A linux-firmware1.187.19 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) acpidump: dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-5.2 dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-5.2 dmi.sys.vendor: QEMU + --- + ProblemType: Bug + AlsaDevices: + total 0 + crw-rw 1 root audio 116, 1 Oct 19 04:42 seq + crw-rw 1 root audio 116, 33 Oct 19 04:42 timer + AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' + ApportVersion: 2.20.11-0ubuntu27.20 + Architecture: amd64 + ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' + AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser' + CasperMD5CheckResult: skip
