Ubuntu
linux-ti-omap4 package

  1. Xenial (16.04)
  2. Bug #1534961
  3. Comment #6

Comment 6 for bug 1534961

Revision history for this message
J. R. Okajima (hooanon05) wrote : Re: insecure overlayfs xattrs handling in copy_up

FYI

The security bug hunter "halfdog" kindly told me that this problem can reproduce with AUFS.
I've confirmed and fixed. Here is aufs's approach hoping with a little help for overlayfs.

In copy-up, the internal sequence is
- create an entry on the upper writable layer.
- copy the all attributes from the inode on the lower readonly branch.

The essential fix is inserting vfs_removexattr(XATTR_NAME_POSIX_ACL_ACCESS) between them.
For dirs, XATTR_NAME_POSIX_ACL_DEFAULT should be removed too. And then copy the all attributes including XATTRs.
But removing all ACL_ACCESS may cause another problem since some fs (for example, NFS) may want ACL which is equivalent to the permission bits. So just after removing XATTR, posix_acl_chmod() should be called.