| 2018-11-06 12:06:16 |
Christian Brauner |
bug |
|
|
added bug |
| 2018-11-06 12:06:16 |
Christian Brauner |
attachment added |
|
v1-0001-userns-defer-setting-up-reverse-mappings.patch https://bugs.launchpad.net/bugs/1801924/+attachment/5209678/+files/v1-0001-userns-defer-setting-up-reverse-mappings.patch |
|
| 2018-11-06 12:06:56 |
Christian Brauner |
bug |
|
|
added subscriber Eric W. Biederman |
| 2018-11-06 12:07:11 |
Christian Brauner |
bug |
|
|
added subscriber Jann Horn (corp account) |
| 2018-11-06 12:07:49 |
Christian Brauner |
bug |
|
|
added subscriber Serge Hallyn |
| 2018-11-06 12:16:22 |
Christian Brauner |
cve linked |
|
2018-18955 |
|
| 2018-11-06 12:17:48 |
Christian Brauner |
description |
Jann Horn reported that nested user namespaces with more than five mappings in nested user namespaces allow to gain privilege over an inode.
Here is my write up of how this happens:
Currently, the forward map and reverse map are copied and sorted at the same time before necessary updates to the forward map have been performed. This has the consequence that the forward map receives the necessary pdates while the reverse map does not leaving it with invalid data. Specifically, this means that the lower ids of the forward mapping will be correctly mapped to appropriate kernel ids, while the lower ids of the reverse mapping will not.
This breaks inode_owner_or_capable() and privileged_wrt_inode_uidgid() which call helpers that need to access the reverse mapping. Thus, a process can incorrectly appear to be capable relative to an inode.
Note that the sorting logic is only triggered when more than five extents are specified and when user namespaces are nested. Hence, only containers with complex mappings in nested user namespaces are affected.
To fix this issue we need to ensures that the translation happens for both the forward and reverse mappings. First, the forward mappings are sorted and its lower ids translated into kernel ids. After this the forward mapping is copied and into the reverse mapping and the reverse mappings sorted.
A proposed patch is appended here. |
Jann Horn reported that nested user namespaces with more than five mappings allow gaining privilege over an inode.
Here is my write up of how this happens:
Currently, the forward map and reverse map are copied and sorted at the same time before necessary updates to the forward map have been performed. This has the consequence that the forward map receives the necessary pdates while the reverse map does not leaving it with invalid data. Specifically, this means that the lower ids of the forward mapping will be correctly mapped to appropriate kernel ids, while the lower ids of the reverse mapping will not.
This breaks inode_owner_or_capable() and privileged_wrt_inode_uidgid() which call helpers that need to access the reverse mapping. Thus, a process can incorrectly appear to be capable relative to an inode.
Note that the sorting logic is only triggered when more than five extents are specified and when user namespaces are nested. Hence, only containers with complex mappings in nested user namespaces are affected.
To fix this issue we need to ensures that the translation happens for both the forward and reverse mappings. First, the forward mappings are sorted and its lower ids translated into kernel ids. After this the forward mapping is copied and into the reverse mapping and the reverse mappings sorted.
A proposed patch is appended here. |
|
| 2018-11-06 12:18:12 |
Christian Brauner |
description |
Jann Horn reported that nested user namespaces with more than five mappings allow gaining privilege over an inode.
Here is my write up of how this happens:
Currently, the forward map and reverse map are copied and sorted at the same time before necessary updates to the forward map have been performed. This has the consequence that the forward map receives the necessary pdates while the reverse map does not leaving it with invalid data. Specifically, this means that the lower ids of the forward mapping will be correctly mapped to appropriate kernel ids, while the lower ids of the reverse mapping will not.
This breaks inode_owner_or_capable() and privileged_wrt_inode_uidgid() which call helpers that need to access the reverse mapping. Thus, a process can incorrectly appear to be capable relative to an inode.
Note that the sorting logic is only triggered when more than five extents are specified and when user namespaces are nested. Hence, only containers with complex mappings in nested user namespaces are affected.
To fix this issue we need to ensures that the translation happens for both the forward and reverse mappings. First, the forward mappings are sorted and its lower ids translated into kernel ids. After this the forward mapping is copied and into the reverse mapping and the reverse mappings sorted.
A proposed patch is appended here. |
Jann Horn reported that nested user namespaces with more than five mappings allow gaining privilege over an inode.
Here is my write up of how this happens:
Currently, the forward map and reverse map are copied and sorted at the same time before necessary updates to the forward map have been performed. This has the consequence that the forward map receives the necessary updates while the reverse map does not leaving it with invalid data. Specifically, this means that the lower ids of the forward mapping will be correctly mapped to appropriate kernel ids, while the lower ids of the reverse mapping will not.
This breaks inode_owner_or_capable() and privileged_wrt_inode_uidgid() which call helpers that need to access the reverse mapping. Thus, a process can incorrectly appear to be capable relative to an inode.
Note that the sorting logic is only triggered when more than five extents are specified and when user namespaces are nested. Hence, only containers with complex mappings in nested user namespaces are affected.
To fix this issue we need to ensures that the translation happens for both the forward and reverse mappings. First, the forward mappings are sorted and its lower ids translated into kernel ids. After this the forward mapping is copied and into the reverse mapping and the reverse mappings sorted.
A proposed patch is appended here. |
|
| 2018-11-06 15:38:00 |
Christian Brauner |
bug |
|
|
added subscriber Stéphane Graber |
| 2018-11-06 18:36:06 |
Tyler Hicks |
bug |
|
|
added subscriber Tyler Hicks |
| 2018-11-11 18:46:29 |
Stéphane Graber |
linux (Ubuntu): importance |
Undecided |
High |
|
| 2018-11-11 18:46:31 |
Stéphane Graber |
linux (Ubuntu): status |
New |
Triaged |
|
| 2018-11-13 07:15:42 |
Tyler Hicks |
information type |
Private Security |
Public Security |
|
| 2018-11-13 08:20:19 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
| 2018-11-13 08:20:20 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Joseph Salisbury |
| 2018-11-14 13:34:34 |
Thadeu Lima de Souza Cascardo |
nominated for series |
|
Ubuntu Bionic |
|
| 2018-11-14 13:34:34 |
Thadeu Lima de Souza Cascardo |
bug task added |
|
linux (Ubuntu Bionic) |
|
| 2018-11-14 13:34:34 |
Thadeu Lima de Souza Cascardo |
nominated for series |
|
Ubuntu Disco |
|
| 2018-11-14 13:34:34 |
Thadeu Lima de Souza Cascardo |
bug task added |
|
linux (Ubuntu Disco) |
|
| 2018-11-14 13:34:34 |
Thadeu Lima de Souza Cascardo |
nominated for series |
|
Ubuntu Cosmic |
|
| 2018-11-14 13:34:34 |
Thadeu Lima de Souza Cascardo |
bug task added |
|
linux (Ubuntu Cosmic) |
|
| 2018-11-14 13:34:47 |
Thadeu Lima de Souza Cascardo |
linux (Ubuntu Cosmic): status |
New |
Fix Committed |
|
| 2018-11-15 02:21:34 |
Thadeu Lima de Souza Cascardo |
linux (Ubuntu Bionic): status |
New |
Fix Committed |
|
| 2018-11-15 11:04:04 |
Brad Figg |
tags |
patch |
patch verification-needed-cosmic |
|
| 2018-11-16 18:15:02 |
Brad Figg |
tags |
patch verification-needed-cosmic |
patch verification-needed-bionic verification-needed-cosmic |
|
| 2018-11-21 03:39:33 |
Christian Brauner |
tags |
patch verification-needed-bionic verification-needed-cosmic |
patch verification-done-bionic verification-done-cosmic |
|
| 2018-11-27 18:49:32 |
Seth Forshee |
linux (Ubuntu Disco): status |
Triaged |
Fix Committed |
|
| 2018-12-03 08:49:32 |
Launchpad Janitor |
linux (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
| 2018-12-03 08:49:32 |
Launchpad Janitor |
cve linked |
|
2018-18653 |
|
| 2018-12-03 08:49:32 |
Launchpad Janitor |
cve linked |
|
2018-6559 |
|
| 2018-12-03 14:01:15 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2019-02-04 14:46:37 |
Launchpad Janitor |
linux (Ubuntu Disco): status |
Fix Committed |
Fix Released |
|
| 2019-07-24 20:56:56 |
Brad Figg |
tags |
patch verification-done-bionic verification-done-cosmic |
cscc patch verification-done-bionic verification-done-cosmic |
|
