Ubuntu
fuse package

Bug #670622
Comment #39

Comment 39 for bug 670622

Revision history for this message

In Red Hat Bugzilla #651183, Vincent (vincent-redhat-bugs) wrote on 2011-03-21:

#39

Created attachment 486670
patch to correct the flaw in fuse on Fedora 14 (v2.8.5)

Current fuse 2.8.5-5.fc14 still fails. I've taken the three upstream commits, merged them, and added the missing bits to make them complete and I've tested it with the original exploit and the new test that showed the failures on Ubuntu, running them 20 times in a row, without being able to umount /proc. I believe that this patch will solve the problem, or at least get us closer (it does work for me, but I've not tested it any way other than using these tests to make sure it was no longer possible to unmount /proc).

% # first run after a fresh boot
% sh new-test.sh
pre-run, make sure ps is working
vdanen 2233 0.0 0.1 106204 1184 pts/0 S+ 13:01 0:00 sh new-test.sh
vdanen 2234 0.0 0.1 110156 1104 pts/0 R+ 13:01 0:00 ps aux
vdanen 2235 0.0 0.0 101016 604 pts/0 S+ 13:01 0:00 tail -3
DirModifyInotify: no process found
FuseMinimal: no process found
gcc -o DirModifyInotify DirModifyInotify.c
gcc -D_FILE_OFFSET_BITS=64 -lfuse -Wall FuseMinimal.c -o FuseMinimal
Using target call count 8
Move triggered at count 8
fusermount: entry for /proc not found in /etc/mtab
post-run, is ps still working?
vdanen 2257 0.0 0.0 234524 488 ? Ssl 13:01 0:00 ../../FuseMinimal .
vdanen 2265 0.0 0.1 110152 1104 pts/0 R+ 13:01 0:00 ps aux
vdanen 2266 0.0 0.0 101016 608 pts/0 S+ 13:01 0:00 tail -3
% # second run
% sh new-test.sh
pre-run, make sure ps is working
vdanen 2267 0.0 0.1 106204 1180 pts/0 S+ 13:01 0:00 sh new-test.sh
vdanen 2268 0.0 0.1 110152 1104 pts/0 R+ 13:01 0:00 ps aux
vdanen 2269 0.0 0.0 101016 604 pts/0 S+ 13:01 0:00 tail -3
rm: cannot remove `tmp-moved/proc': Is a directory
Using target call count 8
Move triggered at count 8
fusermount: user has no write access to mountpoint /proc
fusermount: entry for /proc not found in /etc/mtab
post-run, is ps still working?
vdanen 2281 0.0 0.0 4128 280 pts/0 S+ 13:01 0:00 ./DirModifyInotify --Watch tmp/proc --Watch /etc/mtab --WatchCount 8 --MovePath tmp --LinkTarget /
vdanen 2289 1.0 0.1 110156 1108 pts/0 R+ 13:01 0:00 ps aux
vdanen 2290 0.0 0.0 101016 608 pts/0 S+ 13:01 0:00 tail -3

Created attachment 486670
patch to correct the flaw in fuse on Fedora 14 (v2.8.5)

Current fuse 2.8.5-5.fc14 still fails.  I've taken the three upstream commits, merged them,  and added the missing bits to make them complete and I've tested it with the original exploit and the new test that showed the failures on Ubuntu, running them 20 times in a row, without being able to umount /proc.  I believe that this patch will solve the problem, or at least get us closer (it does work for me, but I've not tested it any way other than using these tests to make sure it was no longer possible to unmount /proc).

% # first run after a fresh boot
% sh new-test.sh 
pre-run, make sure ps is working
vdanen    2233  0.0  0.1 106204  1184 pts/0    S+   13:01   0:00 sh new-test.sh
vdanen    2234  0.0  0.1 110156  1104 pts/0    R+   13:01   0:00 ps aux
vdanen    2235  0.0  0.0 101016   604 pts/0    S+   13:01   0:00 tail -3
DirModifyInotify: no process found
FuseMinimal: no process found
gcc -o DirModifyInotify DirModifyInotify.c
gcc -D_FILE_OFFSET_BITS=64 -lfuse -Wall FuseMinimal.c -o FuseMinimal
Using target call count 8
Move triggered at count 8
fusermount: entry for /proc not found in /etc/mtab
post-run, is ps still working?
vdanen    2257  0.0  0.0 234524   488 ?        Ssl  13:01   0:00 ../../FuseMinimal .
vdanen    2265  0.0  0.1 110152  1104 pts/0    R+   13:01   0:00 ps aux
vdanen    2266  0.0  0.0 101016   608 pts/0    S+   13:01   0:00 tail -3
% # second run
% sh new-test.sh
pre-run, make sure ps is working
vdanen    2267  0.0  0.1 106204  1180 pts/0    S+   13:01   0:00 sh new-test.sh
vdanen    2268  0.0  0.1 110152  1104 pts/0    R+   13:01   0:00 ps aux
vdanen    2269  0.0  0.0 101016   604 pts/0    S+   13:01   0:00 tail -3
rm: cannot remove `tmp-moved/proc': Is a directory
Using target call count 8
Move triggered at count 8
fusermount: user has no write access to mountpoint /proc
fusermount: entry for /proc not found in /etc/mtab
post-run, is ps still working?
vdanen    2281  0.0  0.0   4128   280 pts/0    S+   13:01   0:00 ./DirModifyInotify --Watch tmp/proc --Watch /etc/mtab --WatchCount 8 --MovePath tmp --LinkTarget /
vdanen    2289  1.0  0.1 110156  1108 pts/0    R+   13:01   0:00 ps aux
vdanen    2290  0.0  0.0 101016   608 pts/0    S+   13:01   0:00 tail -3

Ubuntufuse package

Comment 39 for bug 670622

Ubuntu
fuse package