Ubuntu
linux package

overlay: permission regression in 5.4.0.89.93 due to fix for CVE-2021-3732

Bug #1947718 reported by Philipp Wendler
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Since kernel 5.4.0-89.100 on Focal and 4.15.0-159.167 on Bionic I can no longer mount an overlay filesystem over directories like / in a user namespace. With kernel versions 5.4.0-88.99 and 4.15.0-158.166, respectively, this still works.

An easy way to test this is the following command:
mkdir /tmp/test /tmp/test/upper /tmp/test/work
unshare -m -U -r mount -t overlay none / -o lowerdir=/,upperdir=/tmp/test/upper,workdir=/tmp/test/work

On an older kernel, this works and outputs nothing.
On the affected kernels, it outputs

mount: /: wrong fs type, bad option, bad superblock on none, missing codepage or helper program, or other error.

I strongly suspect that this is due to commit "ovl: prevent private clone if bind mount is not allowed" (https://github.com/torvalds/linux/commit/427215d85e8d1476da1a86b8d67aceb485eb3631), which is supposed to fix CVE-2021-3732 and was backported to the affected Ubuntu kernels. This would likely mean that also all other supported Ubuntu versions are affected and also upstream kernel (but I did not test this).

My testing indicates that the mount problem exists whenever I want to use a directory as lowerdir that has some mountpoints below. For example, using / or /dev as lowerdir does not work, but lowerdir=/dev/shm works even on the affected kernels.

Of course I can understand the problem of CVE-2021-3732, but the current fix is clearly a regression for legitimate behavior.

My use case is that I want to create a container for sandboxing purposes where I want to mount overlays inside a user+mount namespace over the whole visible filesystem hierarchy. (Note that in this use case, I iterate over all mount points and create an overlay mount for each existing mount point, I do not expect a single overlay mount to have meaningful cross-mountpoint behavior. So my use case is not affected by the security problem. But for this I still need to be able to create overlay mounts for all mount points, including non-leave mountpoints.)

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: linux-image-5.4.0-89-generic 5.4.0-89.100
ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143
Uname: Linux 5.4.0-89-generic x86_64
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 Oct 19 04:42 seq
 crw-rw---- 1 root audio 116, 33 Oct 19 04:42 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.20.11-0ubuntu27.20
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser'
CasperMD5CheckResult: skip
CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted
Date: Tue Oct 19 12:15:01 2021
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
Lsusb:
 Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet
 Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Lsusb-t:
 /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
     |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
PciMultimedia:

ProcEnviron:
 TERM=screen-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=C.UTF-8
 SHELL=/bin/bash
ProcFB: 0 bochs-drmdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0
RelatedPackageVersions:
 linux-restricted-modules-5.4.0-89-generic N/A
 linux-backports-modules-5.4.0-89-generic N/A
 linux-firmware 1.187.19
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
acpidump:

dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-5.2
dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-5.2
dmi.sys.vendor: QEMU
---
ProblemType: Bug
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 Oct 19 04:42 seq
 crw-rw---- 1 root audio 116, 33 Oct 19 04:42 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.20.11-0ubuntu27.20
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: [Errno 2] No such file or directory: 'fuser'
CasperMD5CheckResult: skip
CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted
DistroRelease: Ubuntu 20.04
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
Lsusb:
 Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU USB Tablet
 Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Lsusb-t:
 /: Bus 01.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M
     |__ Port 1: Dev 2, If 0, Class=Human Interface Device, Driver=usbhid, 12M
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
Package: linux (not installed)
PciMultimedia:

ProcEnviron:
 TERM=screen-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=C.UTF-8
 SHELL=/bin/bash
ProcFB: 0 bochs-drmdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-5.4.0-89-generic root=PARTUUID=59ea2f51-599c-49f2-b9b3-77197e333865 ro console=tty1 console=ttyS0
ProcVersionSignature: User Name 5.4.0-89.100-generic 5.4.143
RelatedPackageVersions:
 linux-restricted-modules-5.4.0-89-generic N/A
 linux-backports-modules-5.4.0-89-generic N/A
 linux-firmware 1.187.19
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
Tags: focal
Uname: Linux 5.4.0-89-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm audio cdrom dialout dip floppy lxd netdev plugdev proc sudo systemd-journal video
_MarkForUpload: True
acpidump:

dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-5.2
dmi.modalias: dmi:bvnSeaBIOS:bvrrel-1.14.0-0-g155821a1990b-prebuilt.qemu.org:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-5.2:cvnQEMU:ct1:cvrpc-i440fx-5.2:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-5.2
dmi.sys.vendor: QEMU

See original description
Revision history for this message
Philipp Wendler (philw85) wrote :
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1947718

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Philipp Wendler (philw85) wrote : CRDA.txt

apport information

tags: added: apport-collected
description: updated
Revision history for this message
Philipp Wendler (philw85) wrote : Lspci.txt

apport information

Revision history for this message
Philipp Wendler (philw85) wrote : Lspci-vt.txt

apport information

Revision history for this message
Philipp Wendler (philw85) wrote : Lsusb-v.txt

apport information

Revision history for this message
Philipp Wendler (philw85) wrote : ProcCpuinfo.txt

apport information

Revision history for this message
Philipp Wendler (philw85) wrote : ProcCpuinfoMinimal.txt

apport information

Revision history for this message
Philipp Wendler (philw85) wrote : ProcInterrupts.txt

apport information

Revision history for this message
Philipp Wendler (philw85) wrote : ProcModules.txt

apport information

Revision history for this message
Philipp Wendler (philw85) wrote : UdevDb.txt

apport information

Revision history for this message
Philipp Wendler (philw85) wrote : WifiSyslog.txt

apport information

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Philipp Wendler (philw85) wrote :

Status set to "Confirmed" as requested by the bot after uploading logs (although I did upload them when creating the issue as well...).

Revision history for this message
Philipp Wendler (philw85) wrote :

This is a kernel regression and now almost three months old. Could somebody please have a look?

Revision history for this message
Philipp Wendler (philw85) wrote :

I now tested with newer kernels: The regression is still present in 5.15.0-33-generic from the hwe-edge package for Ubuntu 20.04.

I also tested kernels from the Ubuntu Mainline Kernel Archive. It works with 5.13.0-051300-generic and fails with 5.14.0-051400-generic and also still with 5.18.3-051803-generic. So this is consistent with my hypothesis about which commit is the problem.

Is there a chance to get this resolved? If I can be of any further help, e.g., by testing more kernel versions, please let me know!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.