OverlayFS: Wrong mnt_id and path reported in /proc in linux-3.13
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | linux (Ubuntu) |
Medium
|
Unassigned | ||
Bug Description
I am running Ubuntu Trusty (3.13.0-65-generic #106-Ubuntu SMP Fri Oct 2 22:08:27 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux).
There are two issues in OverlayFS as follows:
1. /proc/<
2. /proc/<pid>/fd/<fd> shows incorrect path for the symlink target
These issues were previously reported and patched for the Ubuntu Vivid kernel (3.19) in bug #1479468, but the patch was not applied to the 3.13 kernel, possibly because it contains an older version of overlayfs.
These issues are now adversely affecting some versions of lxc when used in conjunction with the 3.13 kernel, because lxc has recently been patched to pass /proc/<pid>/fd/<fd> to the mount syscall. This change to lxc was made in response to cve-2015-1335; see bug #1476662.
The kernel issues cause some overlayfs-backed containers to fail to start, with error message,
strace: mount("
The mount fails because /proc/self/fd/16, which should point to a file in overlayfs, has an invalid value.
The version of lxc in the trusty-updates repository, lxc-1.0.
is not affected. The following versions of lxc are affected:
repository lxc version
-------
ppa:ubuntu-
ppa:ubuntu-
ppa:ubuntu-
To reproduce the lxc failure-to-start issue:
# Install the 3.13 kernel and also an affected version of lxc.
lxc-create -t download -n trusty -- -d ubuntu -r trusty -a amd64;
touch $HOME/test.txt;
echo "lxc.mount.entry = $HOME/test.txt home/ubuntu/
lxc-clone -s -B overlayfs trusty trusty_overlay;
lxc-start -n trusty_overlay; # fails to start
CVE References
| Changed in linux (Ubuntu): | |
| status: | New → Incomplete |
| tags: | added: trusty |
| description: | updated |
| oleg (overlayfs) wrote : BootDmesg.txt | #2 |
apport information
| tags: | added: apparmor apport-collected third-party-packages uec-images |
| description: | updated |
| oleg (overlayfs) wrote : CurrentDmesg.txt | #3 |
apport information
| oleg (overlayfs) wrote : Dependencies.txt | #4 |
apport information
| oleg (overlayfs) wrote : KernLog.txt | #5 |
apport information
| oleg (overlayfs) wrote : Lspci.txt | #6 |
apport information
| oleg (overlayfs) wrote : ProcCpuinfo.txt | #7 |
apport information
| oleg (overlayfs) wrote : ProcInterrupts.txt | #8 |
apport information
| oleg (overlayfs) wrote : ProcModules.txt | #9 |
apport information
apport information
| oleg (overlayfs) wrote : UdevDb.txt | #11 |
apport information
| oleg (overlayfs) wrote : UdevLog.txt | #12 |
apport information
| oleg (overlayfs) wrote : WifiSyslog.txt | #13 |
apport information
| oleg (overlayfs) wrote : lxc-net.default.txt | #14 |
apport information
| oleg (overlayfs) wrote : lxc.default.txt | #15 |
apport information
| oleg (overlayfs) wrote : lxcsyslog.txt | #16 |
apport information
| description: | updated |
| tags: | removed: apparmor apport-collected third-party-packages |
| Changed in linux (Ubuntu): | |
| status: | Incomplete → Confirmed |
| Chris J Arges (arges) wrote : | #17 |
I tried the following:
# Install the 3.13 kernel and also an affected version of lxc.
lxc-create -t download -n trusty -- -d ubuntu -r trusty -a amd64;
touch $HOME/test.txt;
echo "lxc.mount.entry = $HOME/test.txt home/ubuntu/
lxc-clone -s -B overlayfs trusty trusty_overlay;
lxc-start -n trusty_overlay; # fails to start
In a clean and fully updated Trusty VM and could not reproduce the issue with the trusty version of the packages.
ii lxc 1.0.7-0ubuntu0.7 amd64 Linux Containers userspace tools
I also tried the stable version of LXC (https:/
ii lxc 1.1.4-0ubuntu1~
So seems to be fixed in 1.1.4, and I suspect this commit fixes the issue:
commit e228426cf483dc6
Author: Serge Hallyn <email address hidden>
Date: Mon Sep 21 17:09:25 2015 +0000
overlayfs_
Can you re-test with 1.1.4 and see if that fixes the issue? Thanks,
--chris
| Changed in lxc (Ubuntu): | |
| status: | New → Incomplete |
| Changed in linux (Ubuntu): | |
| status: | Confirmed → Incomplete |
| Changed in linux (Ubuntu): | |
| importance: | Undecided → Medium |
| oleg (overlayfs) wrote : | #19 |
I retested using lxc-1.1.4 from the lxc-stable ppa (https:/
"lxc-start -n trusty_overlay" fails as before, with the same error message,
ERROR lxc_utils - utils.c:
ERROR lxc_conf - conf.c:
ERROR lxc_conf - conf.c:
| oleg (overlayfs) wrote : | #20 |
Chris, it would be of interest to see whether you can reproduce the underlying kernel bug using this script,
#!/bin/bash
fatal() { echo "error: $@"; exit 1; }
echo -e "testing for overlayfs kernel bug in kernels <= 3.17.";
echo -e "(This script does not work for the newer version of overlayfs in kernels 3.18+)";
mkdir test_dir || fatal "mkdir test_dir";
sudo mount -t tmpfs none test_dir || fatal "mount tmpfs";
cd test_dir;
mkdir lowerdir upperdir overlayfs;
sudo mount -t overlayfs -o lowerdir=
exec 6> file_tmpfs.txt;
exec 7> lowerdir/
exec 8> upperdir/
exec 9> overlayfs/
echo -e "\ncontents of /proc/$BASHPID/fd/ . A broken symbolic link to file_overlayfs.txt indicates a kernel bug";
echo "------
file /proc/$
# cleanup
exec 9>&-;
exec 8>&-;
exec 7>&-;
exec 6>&-;
sudo umount overlayfs;
cd ..;
sudo umount test_dir && rmdir test_dir;
#----------end of script
Running the script as root, sudo ./script, I get the following output,
testing for overlayfs kernel bug in kernels <= 3.17.
(This script does not work for the newer version of overlayfs in kernels 3.18+)
contents of /proc/1916/fd/ . A broken symbolic link to file_overlayfs.txt indicates a kernel bug
-----
/proc/1916/fd/6: symbolic link to `/home/
/proc/1916/fd/7: symbolic link to `/home/
/proc/1916/fd/8: symbolic link to `/home/
/proc/1916/fd/9: broken symbolic link to `/file_
It seems that the kernel bug is causing fd 9 to point to /file_overlayfs
| oleg (overlayfs) wrote : | #21 |
The following lxc commit introduced safe_mount(), which passes fd's as arguments to mount(),
CVE-2015-1335: Protect container mounts against symlinks
https:/
Here is the relevant part of the commit, which creates a file descriptor and passes it to mount().
+ destfd = open_without_
+ if (destfd < 0) {
+ if (srcfd != -1)
+ close(srcfd);
+ return destfd;
+ }
+
+ ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd);
+ if (ret < 0 || ret > 50) {
+ if (srcfd != -1)
+ close(srcfd);
+ close(destfd);
+ ERROR("Out of memory");
+ return -EINVAL;
+ }
+
+ ret = mount(mntsrc, destbuf, fstype, flags, data);
The strace of mount() shows,
strace: mount("
The mount fails because /proc/self/fd/16, which should point to a file in overlayfs, has an invalid value.
| Changed in linux (Ubuntu): | |
| status: | Incomplete → Confirmed |
| Changed in lxc (Ubuntu): | |
| status: | Incomplete → Confirmed |
| oleg (overlayfs) wrote : | #22 |
Related bug #1347746 : Overlayfs breaks /proc/self/exe link
| no longer affects: | lxc (Ubuntu) |
| oleg (overlayfs) wrote : | #23 |
This bug does still affect lxc on Ubuntu Trusty when using the 3.13 kernel in conjunction with the latest daily-build of lxc, 1.1.5+master~
| Changed in lxc (Ubuntu): | |
| status: | New → Confirmed |
| no longer affects: | lxc (Ubuntu) |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1507463
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.