CVE-2018-18955: nested user namespaces with more than five extents incorrectly grant privileges over inode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned | ||
Disco |
Fix Released
|
High
|
Unassigned |
Bug Description
Jann Horn reported that nested user namespaces with more than five mappings allow gaining privilege over an inode.
Here is my write up of how this happens:
Currently, the forward map and reverse map are copied and sorted at the same time before necessary updates to the forward map have been performed. This has the consequence that the forward map receives the necessary updates while the reverse map does not leaving it with invalid data. Specifically, this means that the lower ids of the forward mapping will be correctly mapped to appropriate kernel ids, while the lower ids of the reverse mapping will not.
This breaks inode_owner_
Note that the sorting logic is only triggered when more than five extents are specified and when user namespaces are nested. Hence, only containers with complex mappings in nested user namespaces are affected.
To fix this issue we need to ensures that the translation happens for both the forward and reverse mappings. First, the forward mappings are sorted and its lower ids translated into kernel ids. After this the forward mapping is copied and into the reverse mapping and the reverse mappings sorted.
A proposed patch is appended here.
CVE References
description: | updated |
description: | updated |
Changed in linux (Ubuntu): | |
importance: | Undecided → High |
status: | New → Triaged |
information type: | Private Security → Public Security |
tags: | added: patch |
Changed in linux (Ubuntu Cosmic): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | New → Fix Committed |
tags: |
added: verification-done-bionic verification-done-cosmic removed: verification-needed-bionic verification-needed-cosmic |
Changed in linux (Ubuntu Disco): | |
status: | Triaged → Fix Committed |
tags: | added: cscc |
+1