Lack of privilege checking in do_write_pids

Bug #1512854 reported by Serge Hallyn
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxcfs (Ubuntu)
Fix Released
Undecided
Unassigned
Vivid
Fix Released
Undecided
Unassigned
Wily
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned

Bug Description

cd /var/lib/lxcfs/cgroup/freezer/user/serge/1/lxc
echo 1 > tasks

In cgmanager, the equivalent action would check for the calling uid's privilege over the target pid's uid. However lxcfs fails to do such a check. Therefore any user only needs write access to the tasks file, and then can move any pid which it can address into the cgroup owning that tasks file.

lxcfs needs to, for each pid, check that the calling uid has the privilege to move the target uid. i.e.:

 * . they are the same task
 * . they are ownedy by the same uid
 * . @r is root on the host, or
 * . @v's uid is mapped into @r's where @r is root.

(copied from the function implementing this for cgmanager).

Note, cgmanager does not do this check for us because we make the cgmanager request as root on the host.

Tags: patch

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2015-1344

Changed in lxcfs (Ubuntu Vivid):
status: New → Confirmed
Changed in lxcfs (Ubuntu Wily):
status: New → Confirmed
Changed in lxcfs (Ubuntu Xenial):
status: New → Confirmed
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

CRD for this issue will be 2015-11-17 18:00:00 UTC

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxcfs - 0.10-0ubuntu2.1

---------------
lxcfs (0.10-0ubuntu2.1) wily-security; urgency=medium

  * SECURITY UPDATE: does not properly enforce directory escapes
    (LP: #1508481)
    - debian/patches/0002-fix-checking-of-parent-dirs.patch: Ensure that a
      task under cgroup /a/b cannot mkdir, rmdir, or modify files under,
      directories not under /a/b. Add a testcase for this.
    - CVE-2015-1342
  * SECURITY UPDATE: lack of privilege checking in do_write_pids
    (LP: #1512854)
    - debian/patches/0002-Fix-movepid-cve.patch: Fix missing privilege
      check when moving pids to a new cgroup.
    - CVE-2015-1344

 -- Marc Deslauriers <email address hidden> Wed, 11 Nov 2015 07:19:02 -0500

Changed in lxcfs (Ubuntu Wily):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxcfs - 0.7-0ubuntu4.1

---------------
lxcfs (0.7-0ubuntu4.1) vivid-security; urgency=medium

  * SECURITY UPDATE: does not properly enforce directory escapes
    (LP: #1508481)
    - debian/patches/0005-fix-checking-of-parent-dirs.patch: Ensure that a
      task under cgroup /a/b cannot mkdir, rmdir, or modify files under,
      directories not under /a/b. Add a testcase for this.
    - CVE-2015-1342
  * SECURITY UPDATE: lack of privilege checking in do_write_pids
    (LP: #1512854)
    - debian/patches/0005-Fix-movepid-cve.patch: Fix missing privilege
      check when moving pids to a new cgroup.
    - CVE-2015-1344

 -- Marc Deslauriers <email address hidden> Wed, 11 Nov 2015 07:19:02 -0500

Changed in lxcfs (Ubuntu Vivid):
status: Confirmed → Fix Released
information type: Private Security → Public Security
tags: added: patch
Revision history for this message
Stéphane Graber (stgraber) wrote :

Pretty sure 0.13 contains this fix, closing.

Changed in lxcfs (Ubuntu Xenial):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.