[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
This bug was fixed in the package linux - 4.19.0-12.13
---
linux (4.19.0-12.13) disco; urgency=medium
* linux: 4.19.0-12.13 -proposed tracker (LP: #1813664)
* kernel oops in bcache module (LP: #1793901)
- SAUCE: bcache: never writeback a discard operation
* Disco update: 4.19.18 upstream stable release (LP: #1813611)
- ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped
address
- mlxsw: spectrum: Disable lag port TX before removing it
- mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion
- net: dsa: mv88x6xxx: mv88e6390 errata
- net, skbuff: do not prefer skb allocation fails early
- qmi_wwan: add MTU default to qmap network interface
- ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
- net: clear skb->tstamp in bridge forwarding path
- netfilter: ipset: Allow matching on destination MAC address for mac and
ipmac sets
- gpio: pl061: Move irq_chip definition inside struct pl061
- drm/amd/display: Guard against null stream_state in set_crc_source
- drm/amdkfd: fix interrupt spin lock
- ixgbe: allow IPsec Tx offload in VEPA mode
- platform/x86: asus-wmi: Tell the EC the OS will handle the display off
hotkey
- e1000e: allow non-monotonic SYSTIM readings
- usb: typec: tcpm: Do not disconnect link for self powered devices
- selftests/bpf: enable (uncomment) all tests in test_libbpf.sh
- of: overlay: add missing of_node_put() after add new node to changeset
- writeback: don't decrement wb->refcnt if !wb->bdi
- serial: set suppress_bind_attrs flag only if builtin
- bpf: Allow narrow loads with offset > 0
- ALSA: oxfw: add support for APOGEE duet FireWire
- x86/mce: Fix -Wmissing-prototypes warnings
- MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
- crypto: ecc - regularize scalar for scalar multiplication
- arm64: perf: set suppress_bind_attrs flag to true
- drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
- clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
- samples: bpf: fix: error handling regarding kprobe_events
- usb: gadget: udc: renesas_usb3: add a safety connection way for
forced_b_device
- fpga: altera-cvp: fix probing for multiple FPGAs on the bus
- selinux: always allow mounting submounts
- ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined
- scsi: qedi: Check for session online before getting iSCSI TLV data.
- drm/amdgpu: Reorder uvd ring init before uvd resume
- rxe: IB_WR_REG_MR does not capture MR's iova field
- efi/libstub: Disable some warnings for x86{,_64}
- jffs2: Fix use of uninitialized delayed_work, lockdep breakage
- clk: imx: make mux parent strings const
- pstore/ram: Do not treat empty buffers as valid
- media: uvcvideo: Refactor teardown of uvc on USB disconnect
- powerpc/xmon: Fix invocation inside lock region
- powerpc/pseries/cpuidle: Fix preempt warning
- media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
- ASoC: use dma_ops of parent device for acp_audio_dma
- media: venus: core: Set dma maximum segment size
- staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io'
- net: call sk_dst_reset when set SO_DONTROUTE
- scsi: target: use consistent left-aligned ASCII INQUIRY data
- scsi: target/core: Make sure that target_wait_for_sess_cmds() waits long
enough
- selftests: do not macro-expand failed assertion expressions
- arm64: kasan: Increase stack size for KASAN_EXTRA
- clk: imx6q: reset exclusive gates on init
- arm64: Fix minor issues with the dcache_by_line_op macro
- bpf: relax verifier restriction on BPF_MOV | BPF_ALU
- kconfig: fix file name and line number of warn_ignored_character()
- kconfig: fix memory leak when EOF is encountered in quotation
- mmc: atmel-mci: do not assume idle after atmci_request_end
- btrfs: volumes: Make sure there is no overlap of dev extents at mount time
- btrfs: alloc_chunk: fix more DUP stripe size handling
- btrfs: fix use-after-free due to race between replace start and cancel
- btrfs: improve error handling of btrfs_add_link
- tty/serial: do not free trasnmit buffer page under port lock
- perf intel-pt: Fix error with config term "pt=0"
- perf tests ARM: Disable breakpoint tests 32-bit
- perf svghelper: Fix unchecked usage of strncpy()
- perf parse-events: Fix unchecked usage of strncpy()
- perf vendor events intel: Fix Load_Miss_Real_Latency on SKL/SKX
- netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set
- netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine
- netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine
- x86/topology: Use total_cpus for max logical packages calculation
- dm crypt: use u64 instead of sector_t
[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
This bug was fixed in the package linux - 4.15.0-42.45 --- linux (4.15.0-42.45) bionic; urgency=medium * linux: 4.15.0-42.45 -proposed tracker (LP: #1803592) * [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405) - KVM: s390: reset crypto attributes for all vcpus - KVM: s390: vsie: simulate VCPU SIE entry/exit - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART - KVM: s390: refactor crypto initialization - s390: vfio-ap: base implementation of VFIO AP device driver - s390: vfio-ap: register matrix device with VFIO mdev framework - s390: vfio-ap: sysfs interfaces to configure adapters - s390: vfio-ap: sysfs interfaces to configure domains - s390: vfio-ap: sysfs interfaces to configure control domains - s390: vfio-ap: sysfs interface to view matrix mdev matrix - KVM: s390: interface to clear CRYCB masks - s390: vfio-ap: implement mediated device open callback - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl - s390: vfio-ap: zeroize the AP queues - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl - KVM: s390: Clear Crypto Control Block when using vSIE - KVM: s390: vsie: Do the CRYCB validation first - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear - KVM: s390: vsie: Allow CRYCB FORMAT-2 - KVM: s390: vsie: allow CRYCB FORMAT-1 - KVM: s390: vsie: allow CRYCB FORMAT-0 - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1 - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2 - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2 - KVM: s390: device attrs to enable/disable AP interpretation - KVM: s390: CPU model support for AP virtualization - s390: doc: detailed specifications for AP virtualization - KVM: s390: fix locking for crypto setting error path - KVM: s390: Tracing APCB changes - s390: vfio-ap: setup APCB mask using KVM dedicated function - s390/zcrypt: Add ZAPQ inline function. - s390/zcrypt: Review inline assembler constraints. - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h. - s390/zcrypt: fix ap_instructions_available() returncodes - s390/zcrypt: remove VLA usage from the AP bus - s390/zcrypt: Remove deprecated ioctls. - s390/zcrypt: Remove deprecated zcrypt proc interface. - s390/zcrypt: Support up to 256 crypto adapters. - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module. * Bypass of mount visibility through userns + mount propagation (LP: #1789161) - mount: Retest MNT_LOCKED in do_umount - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts * CVE-2018-18955: nested user namespaces with more than five extents incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955 - userns: also map extents in the reverse map to kernel IDs * kdump fail due to an IRQ storm (LP: #1797990) - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot - SAUCE: x86/quirks: Scan all busses for early PCI quirks -- Thadeu Lima de Souza Cascardo Thu, 15 Nov 2018 17:01:46 -0200 ** Changed in: linux (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Released Status in linux source package in Cosmic: Fix Released Status in linux source package in Disco: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission
[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
This bug was fixed in the package linux - 4.18.0-12.13 --- linux (4.18.0-12.13) cosmic; urgency=medium * linux: 4.18.0-12.13 -proposed tracker (LP: #1802743) * [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405) - s390/zcrypt: Add ZAPQ inline function. - s390/zcrypt: Review inline assembler constraints. - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h. - s390/zcrypt: fix ap_instructions_available() returncodes - KVM: s390: vsie: simulate VCPU SIE entry/exit - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART - KVM: s390: refactor crypto initialization - s390: vfio-ap: base implementation of VFIO AP device driver - s390: vfio-ap: register matrix device with VFIO mdev framework - s390: vfio-ap: sysfs interfaces to configure adapters - s390: vfio-ap: sysfs interfaces to configure domains - s390: vfio-ap: sysfs interfaces to configure control domains - s390: vfio-ap: sysfs interface to view matrix mdev matrix - KVM: s390: interface to clear CRYCB masks - s390: vfio-ap: implement mediated device open callback - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl - s390: vfio-ap: zeroize the AP queues - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl - KVM: s390: Clear Crypto Control Block when using vSIE - KVM: s390: vsie: Do the CRYCB validation first - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear - KVM: s390: vsie: Allow CRYCB FORMAT-2 - KVM: s390: vsie: allow CRYCB FORMAT-1 - KVM: s390: vsie: allow CRYCB FORMAT-0 - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1 - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2 - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2 - KVM: s390: device attrs to enable/disable AP interpretation - KVM: s390: CPU model support for AP virtualization - s390: doc: detailed specifications for AP virtualization - KVM: s390: fix locking for crypto setting error path - KVM: s390: Tracing APCB changes - s390: vfio-ap: setup APCB mask using KVM dedicated function - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module. * Bypass of mount visibility through userns + mount propagation (LP: #1789161) - mount: Retest MNT_LOCKED in do_umount - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts * CVE-2018-18955: nested user namespaces with more than five extents incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955 - userns: also map extents in the reverse map to kernel IDs * kdump fail due to an IRQ storm (LP: #1797990) - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot - SAUCE: x86/quirks: Scan all busses for early PCI quirks * crash in ENA driver on removing an interface (LP: #1802341) - SAUCE: net: ena: fix crash during ena_remove() * Ubuntu 18.04.1 - [s390x] Kernel panic while stressing network bonding (LP: #1797367) - s390/qeth: reduce hard-coded access to ccw channels - s390/qeth: sanitize strings in debug messages * Add checksum offload and TSO support for HiNIC adapters (LP: #1800664) - net-next/hinic: add checksum offload and TSO support * smartpqi updates for ubuntu 18.04.2 (LP: #1798208) - scsi: smartpqi: improve handling for sync requests - scsi: smartpqi: improve error checking for sync requests - scsi: smartpqi: add inspur advantech ids - scsi: smartpqi: fix critical ARM issue reading PQI index registers - scsi: smartpqi: bump driver version to 1.1.4-130 * [GLK/CLX] Enhanced IBRS (LP: #1786139) - x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation - x86/speculation: Support Enhanced IBRS on future CPUs * Enable keyboard wakeup for S2Idle laptops (LP: #1798552) - Input: i8042 - enable keyboard wakeups by default when s2idle is used * Overlayfs in user namespace leaks directory content of inaccessible directories (LP: #1793458) // CVE-2018-6559 - SAUCE: overlayfs: ensure mounter privileges when reading directories * Update ENA driver to version 2.0.1K (LP: #1798182) - net: ena: remove ndo_poll_controller - net: ena: fix auto casting to boolean - net: ena: minor performance improvement - net: ena: complete host info to match latest ENA spec - net: ena: introduce Low Latency Queues data structures according to ENA spec - net: ena: add functions for handling Low Latency Queues in ena_com - net: ena: add functions for handling Low Latency Queues in ena_netdev - net: ena: use CSUM_CHECKED device indication to report skb's checksum status - net: ena: explicit casting and initialization, and clearer error handling - net: ena: limit refill Rx threshold to 256 to avoid latency issues - net: ena: change rx copybreak default to reduce kernel memory pressure - net: ena: remove redundant
[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
I've verified the fix in 4.18.0-12.13-generic from cosmic-proposed. ** Tags removed: verification-needed-cosmic ** Tags added: verification-done-cosmic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission denied /bin/ls: cannot access '/root/.gnupg': Permission denied /bin/ls: cannot access '/root/.aptitude': Permission denied /bin/ls: cannot access '/root/.bash_history': Permission denied /bin/ls: cannot access '/root/.profile': Permission denied /bin/ls: cannot access '/root/.hplip': Permission denied total 8 drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 . drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .. d? ? ? ? ?? .aptitude -? ? ? ? ?? .bash_history -? ? ? ? ?? .bashrc d? ? ? ? ?? .cache d? ? ? ? ?? .gnupg d? ? ? ? ?? .hplip -? ? ? ? ?? .profile d? ? ? ? ?? snap ``` The script also has some comments that explain the necessary steps in more details. I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug probably affects all Ubuntu versions of the last years. Other distributions and the vanilla kernel should not be affected because AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces. But of course it would be good to apply a potential fix upstream. So far I did not succeed in doing more than leaking the directory content, but of course that is no guarantee that it is not possible to do worse things. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-34-generic 4.15.0-34.37 ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18 Uname: Linux 4.15.0-34-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.3 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC1: wendler3414 F pulseaudio /dev/snd/controlC0: wendler3414 F pulseaudio CurrentDesktop: Unity:Unity7:ubuntu Date: Thu Sep 20 08:56:01 2018 HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062 InstallationDate: Installed on 2016-12-12 (646 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) MachineType: LENOVO 20FXS1B700 ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-34-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash resume=/dev/mapper/ubuntu--vg-swap_1 swapaccount=1 RelatedPackageVersions: linux-restricted-modules-4.15.0-34-generic N/A linux-backports-modules-4.15.0-34-generic N/A linux-firmware 1.173.1 SourcePackage: linux UpgradeStatus: Upgraded to bionic on 2018-09-04 (15 days ago) dmi.bios.date: 09/26/2016 dmi.bios.vendor: LENOVO dmi.bios.version: R07ET71W (2.11 ) dmi.board.asset.tag: Not Available dmi.board.name: 20FXS1B700 dmi.board.vendor: LENOVO dmi.board.version: SDK0J40697 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.modalias:
[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
Tyler, thanks for the clarification. I have tested it with 4.15.0-42-generic from bionic-proposed and can confirm it is fixed. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission denied /bin/ls: cannot access '/root/.gnupg': Permission denied /bin/ls: cannot access '/root/.aptitude': Permission denied /bin/ls: cannot access '/root/.bash_history': Permission denied /bin/ls: cannot access '/root/.profile': Permission denied /bin/ls: cannot access '/root/.hplip': Permission denied total 8 drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 . drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .. d? ? ? ? ?? .aptitude -? ? ? ? ?? .bash_history -? ? ? ? ?? .bashrc d? ? ? ? ?? .cache d? ? ? ? ?? .gnupg d? ? ? ? ?? .hplip -? ? ? ? ?? .profile d? ? ? ? ?? snap ``` The script also has some comments that explain the necessary steps in more details. I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug probably affects all Ubuntu versions of the last years. Other distributions and the vanilla kernel should not be affected because AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces. But of course it would be good to apply a potential fix upstream. So far I did not succeed in doing more than leaking the directory content, but of course that is no guarantee that it is not possible to do worse things. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-34-generic 4.15.0-34.37 ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18 Uname: Linux 4.15.0-34-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.3 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC1: wendler3414 F pulseaudio /dev/snd/controlC0: wendler3414 F pulseaudio CurrentDesktop: Unity:Unity7:ubuntu Date: Thu Sep 20 08:56:01 2018 HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062 InstallationDate: Installed on 2016-12-12 (646 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) MachineType: LENOVO 20FXS1B700 ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-34-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash resume=/dev/mapper/ubuntu--vg-swap_1 swapaccount=1 RelatedPackageVersions: linux-restricted-modules-4.15.0-34-generic N/A linux-backports-modules-4.15.0-34-generic N/A linux-firmware 1.173.1 SourcePackage: linux UpgradeStatus: Upgraded to bionic on 2018-09-04 (15 days ago) dmi.bios.date: 09/26/2016 dmi.bios.vendor: LENOVO dmi.bios.version: R07ET71W (2.11 ) dmi.board.asset.tag: Not Available dmi.board.name: 20FXS1B700 dmi.board.vendor: LENOVO dmi.board.version: SDK0J40697 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.modalias:
Re: [Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
On 2018-11-19 18:14:43, Philipp Wendler wrote: > I hope that this is all just a misunderstanding and the message does not > apply to security problems. In this case please consider changing the > message or improving the process such that this confusion will be > avoided for future reports. Hi Philipp - I'm sorry about the confusion that comment caused. The comment was created by an automated script that the kernel team uses to help with the stable release update process. Security fixes do receive an exception with this policy. The common case is that we track security fixes with CVE IDs instead of Launchpad bug reports. In this case, we do have a bug report for this security issue so it gets lumped in with all of the other non-security fixes that are subject to this policy. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission denied /bin/ls: cannot access '/root/.gnupg': Permission denied /bin/ls: cannot access '/root/.aptitude': Permission denied /bin/ls: cannot access '/root/.bash_history': Permission denied /bin/ls: cannot access '/root/.profile': Permission denied /bin/ls: cannot access '/root/.hplip': Permission denied total 8 drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 . drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .. d? ? ? ? ?? .aptitude -? ? ? ? ?? .bash_history -? ? ? ? ?? .bashrc d? ? ? ? ?? .cache d? ? ? ? ?? .gnupg d? ? ? ? ?? .hplip -? ? ? ? ?? .profile d? ? ? ? ?? snap ``` The script also has some comments that explain the necessary steps in more details. I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug probably affects all Ubuntu versions of the last years. Other distributions and the vanilla kernel should not be affected because AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces. But of course it would be good to apply a potential fix upstream. So far I did not succeed in doing more than leaking the directory content, but of course that is no guarantee that it is not possible to do worse things. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-34-generic 4.15.0-34.37 ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18 Uname: Linux 4.15.0-34-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.3 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC1: wendler3414 F pulseaudio /dev/snd/controlC0: wendler3414 F pulseaudio CurrentDesktop: Unity:Unity7:ubuntu Date: Thu Sep 20 08:56:01 2018 HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062 InstallationDate: Installed on 2016-12-12 (646 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) MachineType: LENOVO 20FXS1B700 ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-34-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash resume=/dev/mapper/ubuntu--vg-swap_1 swapaccount=1 RelatedPackageVersions: linux-restricted-modules-4.15.0-34-generic
[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
I find the demand to test the fix within 5 days, combined with the threat of dropping the patch otherwise, unreasonable. In my original report of this security problem I have already provided a script that allows to reproduce the problem and check if it still exists. Requiring an answer within 5 days is too short, after all people can be on holiday or just busy for other reasons. And even if I as the original submitter wouldn't respond at all, this is a real security problem in Ubuntu that was already confirmed. Are you really going to drop the patch and let CVE-2018-6559 stay unfixed forever? Maybe I will find the time to test it on Bionic, but I will certainly not install a different version of Ubuntu than the one I am currently running. I hope that this is all just a misunderstanding and the message does not apply to security problems. In this case please consider changing the message or improving the process such that this confusion will be avoided for future reports. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission denied /bin/ls: cannot access '/root/.gnupg': Permission denied /bin/ls: cannot access '/root/.aptitude': Permission denied /bin/ls: cannot access '/root/.bash_history': Permission denied /bin/ls: cannot access '/root/.profile': Permission denied /bin/ls: cannot access '/root/.hplip': Permission denied total 8 drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 . drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .. d? ? ? ? ?? .aptitude -? ? ? ? ?? .bash_history -? ? ? ? ?? .bashrc d? ? ? ? ?? .cache d? ? ? ? ?? .gnupg d? ? ? ? ?? .hplip -? ? ? ? ?? .profile d? ? ? ? ?? snap ``` The script also has some comments that explain the necessary steps in more details. I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug probably affects all Ubuntu versions of the last years. Other distributions and the vanilla kernel should not be affected because AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces. But of course it would be good to apply a potential fix upstream. So far I did not succeed in doing more than leaking the directory content, but of course that is no guarantee that it is not possible to do worse things. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-34-generic 4.15.0-34.37 ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18 Uname: Linux 4.15.0-34-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.3 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC1: wendler3414 F pulseaudio /dev/snd/controlC0: wendler3414 F pulseaudio CurrentDesktop: Unity:Unity7:ubuntu Date: Thu Sep 20 08:56:01 2018 HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062 InstallationDate: Installed on 2016-12-12 (646 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) MachineType: LENOVO 20FXS1B700 ProcFB: 0 inteldrmfb ProcKernelCmdLine:
[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission denied /bin/ls: cannot access '/root/.gnupg': Permission denied /bin/ls: cannot access '/root/.aptitude': Permission denied /bin/ls: cannot access '/root/.bash_history': Permission denied /bin/ls: cannot access '/root/.profile': Permission denied /bin/ls: cannot access '/root/.hplip': Permission denied total 8 drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 . drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .. d? ? ? ? ?? .aptitude -? ? ? ? ?? .bash_history -? ? ? ? ?? .bashrc d? ? ? ? ?? .cache d? ? ? ? ?? .gnupg d? ? ? ? ?? .hplip -? ? ? ? ?? .profile d? ? ? ? ?? snap ``` The script also has some comments that explain the necessary steps in more details. I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug probably affects all Ubuntu versions of the last years. Other distributions and the vanilla kernel should not be affected because AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces. But of course it would be good to apply a potential fix upstream. So far I did not succeed in doing more than leaking the directory content, but of course that is no guarantee that it is not possible to do worse things. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-34-generic 4.15.0-34.37 ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18 Uname: Linux 4.15.0-34-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.3 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC1: wendler3414 F pulseaudio /dev/snd/controlC0: wendler3414 F pulseaudio CurrentDesktop: Unity:Unity7:ubuntu Date: Thu Sep 20 08:56:01 2018 HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062 InstallationDate: Installed on 2016-12-12 (646 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) MachineType: LENOVO 20FXS1B700 ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-34-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash resume=/dev/mapper/ubuntu--vg-swap_1 swapaccount=1 RelatedPackageVersions: linux-restricted-modules-4.15.0-34-generic N/A linux-backports-modules-4.15.0-34-generic N/A linux-firmware 1.173.1 SourcePackage: linux
[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- cosmic' to 'verification-done-cosmic'. If the problem still exists, change the tag 'verification-needed-cosmic' to 'verification-failed- cosmic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-cosmic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission denied /bin/ls: cannot access '/root/.gnupg': Permission denied /bin/ls: cannot access '/root/.aptitude': Permission denied /bin/ls: cannot access '/root/.bash_history': Permission denied /bin/ls: cannot access '/root/.profile': Permission denied /bin/ls: cannot access '/root/.hplip': Permission denied total 8 drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 . drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .. d? ? ? ? ?? .aptitude -? ? ? ? ?? .bash_history -? ? ? ? ?? .bashrc d? ? ? ? ?? .cache d? ? ? ? ?? .gnupg d? ? ? ? ?? .hplip -? ? ? ? ?? .profile d? ? ? ? ?? snap ``` The script also has some comments that explain the necessary steps in more details. I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug probably affects all Ubuntu versions of the last years. Other distributions and the vanilla kernel should not be affected because AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces. But of course it would be good to apply a potential fix upstream. So far I did not succeed in doing more than leaking the directory content, but of course that is no guarantee that it is not possible to do worse things. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-34-generic 4.15.0-34.37 ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18 Uname: Linux 4.15.0-34-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.3 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC1: wendler3414 F pulseaudio /dev/snd/controlC0: wendler3414 F pulseaudio CurrentDesktop: Unity:Unity7:ubuntu Date: Thu Sep 20 08:56:01 2018 HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062 InstallationDate: Installed on 2016-12-12 (646 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) MachineType: LENOVO 20FXS1B700 ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-34-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash resume=/dev/mapper/ubuntu--vg-swap_1 swapaccount=1 RelatedPackageVersions: linux-restricted-modules-4.15.0-34-generic N/A linux-backports-modules-4.15.0-34-generic N/A linux-firmware 1.173.1 SourcePackage: linux
[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
** Changed in: linux (Ubuntu Cosmic) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Bionic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Committed Status in linux source package in Disco: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission denied /bin/ls: cannot access '/root/.gnupg': Permission denied /bin/ls: cannot access '/root/.aptitude': Permission denied /bin/ls: cannot access '/root/.bash_history': Permission denied /bin/ls: cannot access '/root/.profile': Permission denied /bin/ls: cannot access '/root/.hplip': Permission denied total 8 drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 . drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .. d? ? ? ? ?? .aptitude -? ? ? ? ?? .bash_history -? ? ? ? ?? .bashrc d? ? ? ? ?? .cache d? ? ? ? ?? .gnupg d? ? ? ? ?? .hplip -? ? ? ? ?? .profile d? ? ? ? ?? snap ``` The script also has some comments that explain the necessary steps in more details. I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug probably affects all Ubuntu versions of the last years. Other distributions and the vanilla kernel should not be affected because AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces. But of course it would be good to apply a potential fix upstream. So far I did not succeed in doing more than leaking the directory content, but of course that is no guarantee that it is not possible to do worse things. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-34-generic 4.15.0-34.37 ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18 Uname: Linux 4.15.0-34-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.3 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC1: wendler3414 F pulseaudio /dev/snd/controlC0: wendler3414 F pulseaudio CurrentDesktop: Unity:Unity7:ubuntu Date: Thu Sep 20 08:56:01 2018 HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062 InstallationDate: Installed on 2016-12-12 (646 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) MachineType: LENOVO 20FXS1B700 ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-34-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash resume=/dev/mapper/ubuntu--vg-swap_1 swapaccount=1 RelatedPackageVersions: linux-restricted-modules-4.15.0-34-generic N/A linux-backports-modules-4.15.0-34-generic N/A linux-firmware 1.173.1 SourcePackage: linux UpgradeStatus: Upgraded to bionic on 2018-09-04 (15 days ago) dmi.bios.date: 09/26/2016 dmi.bios.vendor: LENOVO dmi.bios.version: R07ET71W (2.11 ) dmi.board.asset.tag: Not Available dmi.board.name: 20FXS1B700 dmi.board.vendor: LENOVO dmi.board.version: SDK0J40697 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.modalias:
[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
** Tags added: patch -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: In Progress Status in linux source package in Cosmic: In Progress Status in linux source package in DD-Series: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission denied /bin/ls: cannot access '/root/.gnupg': Permission denied /bin/ls: cannot access '/root/.aptitude': Permission denied /bin/ls: cannot access '/root/.bash_history': Permission denied /bin/ls: cannot access '/root/.profile': Permission denied /bin/ls: cannot access '/root/.hplip': Permission denied total 8 drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 . drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .. d? ? ? ? ?? .aptitude -? ? ? ? ?? .bash_history -? ? ? ? ?? .bashrc d? ? ? ? ?? .cache d? ? ? ? ?? .gnupg d? ? ? ? ?? .hplip -? ? ? ? ?? .profile d? ? ? ? ?? snap ``` The script also has some comments that explain the necessary steps in more details. I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug probably affects all Ubuntu versions of the last years. Other distributions and the vanilla kernel should not be affected because AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces. But of course it would be good to apply a potential fix upstream. So far I did not succeed in doing more than leaking the directory content, but of course that is no guarantee that it is not possible to do worse things. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-34-generic 4.15.0-34.37 ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18 Uname: Linux 4.15.0-34-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.3 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC1: wendler3414 F pulseaudio /dev/snd/controlC0: wendler3414 F pulseaudio CurrentDesktop: Unity:Unity7:ubuntu Date: Thu Sep 20 08:56:01 2018 HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062 InstallationDate: Installed on 2016-12-12 (646 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) MachineType: LENOVO 20FXS1B700 ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-34-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash resume=/dev/mapper/ubuntu--vg-swap_1 swapaccount=1 RelatedPackageVersions: linux-restricted-modules-4.15.0-34-generic N/A linux-backports-modules-4.15.0-34-generic N/A linux-firmware 1.173.1 SourcePackage: linux UpgradeStatus: Upgraded to bionic on 2018-09-04 (15 days ago) dmi.bios.date: 09/26/2016 dmi.bios.vendor: LENOVO dmi.bios.version: R07ET71W (2.11 ) dmi.board.asset.tag: Not Available dmi.board.name: 20FXS1B700 dmi.board.vendor: LENOVO dmi.board.version: SDK0J40697 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.modalias: dmi:bvnLENOVO:bvrR07ET71W(2.11):bd09/26/2016:svnLENOVO:pn20FXS1B700:pvrThinkPadT460p:rvnLENOVO:rn20FXS1B700:rvrSDK0J40697WIN:cvnLENOVO:ct10:cvrNone: dmi.product.family: ThinkPad T460p dmi.product.name:
[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
Cosmic and "D": https://lists.ubuntu.com/archives/kernel-team/2018-October/096171.html Bionic: https://lists.ubuntu.com/archives/kernel-team/2018-October/096173.html ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Dd-series) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Cosmic) Importance: High Assignee: Tyler Hicks (tyhicks) Status: In Progress ** Changed in: linux (Ubuntu Bionic) Status: New => In Progress ** Changed in: linux (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Cosmic) Importance: High => Medium ** Changed in: linux (Ubuntu Dd-series) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Dd-series) Status: New => In Progress ** Changed in: linux (Ubuntu Bionic) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: linux (Ubuntu Dd-series) Assignee: (unassigned) => Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Status in linux source package in Bionic: In Progress Status in linux source package in Cosmic: In Progress Status in linux source package in DD-Series: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission denied /bin/ls: cannot access '/root/.gnupg': Permission denied /bin/ls: cannot access '/root/.aptitude': Permission denied /bin/ls: cannot access '/root/.bash_history': Permission denied /bin/ls: cannot access '/root/.profile': Permission denied /bin/ls: cannot access '/root/.hplip': Permission denied total 8 drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 . drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .. d? ? ? ? ?? .aptitude -? ? ? ? ?? .bash_history -? ? ? ? ?? .bashrc d? ? ? ? ?? .cache d? ? ? ? ?? .gnupg d? ? ? ? ?? .hplip -? ? ? ? ?? .profile d? ? ? ? ?? snap ``` The script also has some comments that explain the necessary steps in more details. I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug probably affects all Ubuntu versions of the last years. Other distributions and the vanilla kernel should not be affected because AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces. But of course it would be good to apply a potential fix upstream. So far I did not succeed in doing more than leaking the directory content, but of course that is no guarantee that it is not possible to do worse things. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-34-generic 4.15.0-34.37 ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18 Uname: Linux 4.15.0-34-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.3 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC1: wendler3414 F pulseaudio /dev/snd/controlC0: wendler3414 F pulseaudio CurrentDesktop: Unity:Unity7:ubuntu Date: Thu Sep 20 08:56:01 2018 HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062 InstallationDate: Installed on 2016-12-12 (646 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) MachineType: LENOVO 20FXS1B700 ProcFB: 0 inteldrmfb
[Kernel-packages] [Bug 1793458] Re: Overlayfs in user namespace leaks directory content of inaccessible directories
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1793458 Title: Overlayfs in user namespace leaks directory content of inaccessible directories Status in linux package in Ubuntu: In Progress Bug description: Summary: With a combination of overlayfs and user namespaces, regular users can see the content of directories that would otherwise be inaccessible to them because of directory permissions (e.g., all users can see content of "/root"). Details: For the exploit it is necessary to create user and mount namespaces and mount an overlayfs inside it. Ubuntu allows this for regular users. The lower dir of the overlay would be "/", and the upper dir an attacker-controlled temporary directory. If the attacker wants to see the content of "/root", they would create a directory "root" in the upper dir of the overlay. Overlays seems to get confused about the permissions, and instead of applying the restrictive permissions of "root" from the lower dir, it applies more relaxed restrictions of "root" from the upper dir, granting the attacker the possibility to list the directory contents of "/root". To reproduce, simply run the attached script as regular user. It will show the content of "/root", on my system the output is this: ``` /bin/ls: cannot access '/root/.cache': Permission denied /bin/ls: cannot access '/root/.bashrc': Permission denied /bin/ls: cannot access '/root/snap': Permission denied /bin/ls: cannot access '/root/.gnupg': Permission denied /bin/ls: cannot access '/root/.aptitude': Permission denied /bin/ls: cannot access '/root/.bash_history': Permission denied /bin/ls: cannot access '/root/.profile': Permission denied /bin/ls: cannot access '/root/.hplip': Permission denied total 8 drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 . drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .. d? ? ? ? ?? .aptitude -? ? ? ? ?? .bash_history -? ? ? ? ?? .bashrc d? ? ? ? ?? .cache d? ? ? ? ?? .gnupg d? ? ? ? ?? .hplip -? ? ? ? ?? .profile d? ? ? ? ?? snap ``` The script also has some comments that explain the necessary steps in more details. I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug probably affects all Ubuntu versions of the last years. Other distributions and the vanilla kernel should not be affected because AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces. But of course it would be good to apply a potential fix upstream. So far I did not succeed in doing more than leaking the directory content, but of course that is no guarantee that it is not possible to do worse things. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-34-generic 4.15.0-34.37 ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18 Uname: Linux 4.15.0-34-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.3 Architecture: amd64 AudioDevicesInUse: USERPID ACCESS COMMAND /dev/snd/controlC1: wendler3414 F pulseaudio /dev/snd/controlC0: wendler3414 F pulseaudio CurrentDesktop: Unity:Unity7:ubuntu Date: Thu Sep 20 08:56:01 2018 HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062 InstallationDate: Installed on 2016-12-12 (646 days ago) InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719) MachineType: LENOVO 20FXS1B700 ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-34-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash resume=/dev/mapper/ubuntu--vg-swap_1 swapaccount=1 RelatedPackageVersions: linux-restricted-modules-4.15.0-34-generic N/A linux-backports-modules-4.15.0-34-generic N/A linux-firmware 1.173.1 SourcePackage: linux UpgradeStatus: Upgraded to bionic on 2018-09-04 (15 days ago) dmi.bios.date: 09/26/2016 dmi.bios.vendor: LENOVO dmi.bios.version: R07ET71W (2.11 ) dmi.board.asset.tag: Not Available dmi.board.name: 20FXS1B700 dmi.board.vendor: LENOVO dmi.board.version: SDK0J40697 WIN dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.modalias: dmi:bvnLENOVO:bvrR07ET71W(2.11):bd09/26/2016:svnLENOVO:pn20FXS1B700:pvrThinkPadT460p:rvnLENOVO:rn20FXS1B700:rvrSDK0J40697WIN:cvnLENOVO:ct10:cvrNone: dmi.product.family: ThinkPad T460p dmi.product.name: 20FXS1B700 dmi.product.version: ThinkPad T460p dmi.sys.vendor: LENOVO To manage notifications about this bug go to:
