Lack of privilege checking in do_write_pids

Bug #1512854 reported by Serge Hallyn on 2015-11-03
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxcfs (Ubuntu)
Undecided
Unassigned
Vivid
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned

Bug Description

cd /var/lib/lxcfs/cgroup/freezer/user/serge/1/lxc
echo 1 > tasks

In cgmanager, the equivalent action would check for the calling uid's privilege over the target pid's uid. However lxcfs fails to do such a check. Therefore any user only needs write access to the tasks file, and then can move any pid which it can address into the cgroup owning that tasks file.

lxcfs needs to, for each pid, check that the calling uid has the privilege to move the target uid. i.e.:

 * . they are the same task
 * . they are ownedy by the same uid
 * . @r is root on the host, or
 * . @v's uid is mapped into @r's where @r is root.

(copied from the function implementing this for cgmanager).

Note, cgmanager does not do this check for us because we make the cgmanager request as root on the host.

CVE References

Marc Deslauriers (mdeslaur) wrote :

This is CVE-2015-1344

Changed in lxcfs (Ubuntu Vivid):
status: New → Confirmed
Changed in lxcfs (Ubuntu Wily):
status: New → Confirmed
Changed in lxcfs (Ubuntu Xenial):
status: New → Confirmed
Serge Hallyn (serge-hallyn) wrote :
Serge Hallyn (serge-hallyn) wrote :
Serge Hallyn (serge-hallyn) wrote :
Marc Deslauriers (mdeslaur) wrote :

CRD for this issue will be 2015-11-17 18:00:00 UTC

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxcfs - 0.10-0ubuntu2.1

---------------
lxcfs (0.10-0ubuntu2.1) wily-security; urgency=medium

  * SECURITY UPDATE: does not properly enforce directory escapes
    (LP: #1508481)
    - debian/patches/0002-fix-checking-of-parent-dirs.patch: Ensure that a
      task under cgroup /a/b cannot mkdir, rmdir, or modify files under,
      directories not under /a/b. Add a testcase for this.
    - CVE-2015-1342
  * SECURITY UPDATE: lack of privilege checking in do_write_pids
    (LP: #1512854)
    - debian/patches/0002-Fix-movepid-cve.patch: Fix missing privilege
      check when moving pids to a new cgroup.
    - CVE-2015-1344

 -- Marc Deslauriers <email address hidden> Wed, 11 Nov 2015 07:19:02 -0500

Changed in lxcfs (Ubuntu Wily):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxcfs - 0.7-0ubuntu4.1

---------------
lxcfs (0.7-0ubuntu4.1) vivid-security; urgency=medium

  * SECURITY UPDATE: does not properly enforce directory escapes
    (LP: #1508481)
    - debian/patches/0005-fix-checking-of-parent-dirs.patch: Ensure that a
      task under cgroup /a/b cannot mkdir, rmdir, or modify files under,
      directories not under /a/b. Add a testcase for this.
    - CVE-2015-1342
  * SECURITY UPDATE: lack of privilege checking in do_write_pids
    (LP: #1512854)
    - debian/patches/0005-Fix-movepid-cve.patch: Fix missing privilege
      check when moving pids to a new cgroup.
    - CVE-2015-1344

 -- Marc Deslauriers <email address hidden> Wed, 11 Nov 2015 07:19:02 -0500

Changed in lxcfs (Ubuntu Vivid):
status: Confirmed → Fix Released
information type: Private Security → Public Security
tags: added: patch
Stéphane Graber (stgraber) wrote :

Pretty sure 0.13 contains this fix, closing.

Changed in lxcfs (Ubuntu Xenial):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers