overlayfs : broken access to r/w files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
In Progress
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Ioanna Alifieraki |
Bug Description
[Description]
Commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes) (upstream id) breaks r/w access in overlayfs in 4.4 ubuntu kernels, later ubuntu kernels are not affected.
There are two options to fix this either (a) backport ce31513a9114(ovl: copyattr after setting POSIX ACL) to 4.4 or (b) revert offending commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes).
Option (a) has high risk of regression since ce31513a9114(ovl: copyattr after setting POSIX ACL) has many dependencies on other commits that need to be backported too.
We'll proceed with reverting c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes).
This commit is associated with CVE-2018-16597, however 4.4 kernels (both ubuntu and upstream) are NOT affected by this cve so it's safe to revert it.
The offending commit was introduced upstream in v4.8-rc1. At this point had nothing to do with any CVE.
It was related with CVE-2018-16597 as it was the fix for bug [1].
Then it was backported to stable 4.4 and this way it ended up in Ubuntu 4.4 kernels.
[Test Case]
----> Offending commit breaks r/w access in overlayfs
Reproducer available in [2].
To run the reproducer :
$./make-overlay.sh
$./test.sh
# With the offending commit in place :
$ ./test.sh
st_mode is 100644
open failed: -1
cat: /tmp/overlay/
-rw-r--r-- 1 jo jo 0 Oct 11 09:57 /tmp/overlay/animal
# With the offending commit reverted :
$ ./test.sh
st_mode is 100644
-rw-r--r-- 1 jo jo 0 Oct 11 16:01 /tmp/overlay/animal
[Other]
----> Test whether 4.4 kernels are affected by CVE-2018-16597
Since offending commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes) is related with CVE-2018-16597 a test script is provided to confirm that 4.4 kernel are not affected by this cve and therefore is safe to revert the commit.
Kernels tested :
4.4 ESM kernels :
- 4.4.0-1057-aws (offending reverted) PASS
- 4.4.0-167-generic (offending reverted) PASS
4.4 AWS Kenrels (not esm) :
- 4.4.0-1097-aws as is PASS
- 4.4.0-1097-aws offending reverted PASS
4.4 Generic kernels (not esm) :
- 4.4.0-165-generic as is PASS
- 4.4.0-165-generic (offending reverted) PASS
Upstream kernels :
- latest upstream PASS
- upstream at offending PASS
- upstream before offending PASS
- 4.4 stable before offending PASS
### DETAILS
A simple script is attached (test_overlay_
They are not. Neither is the stable 4.4.y upstream kernel.
The script tests for the reproducer found in [1] and a modified version
of it that doesn't breaks the following (quoting from [3] ):
"Changes to the underlying filesystems while part of a mounted overlay
filesystem are not allowed. If the underlying filesystem is changed,
the behavior of the overlay is undefined, though it will not result in
a crash or deadlock."
These two test cases should fail. So, expect to see
"cp: cannot create regular file <the file we're writing>: Permission denied".
Then there are a few other test cases (files placed in lower/upper dirs and owned
by root/user).
The script checks the contents of the files at the end and reports anything wrong by printing :
Problem with file <file>
and then cat-ing the file and listing the permissions.
An example (correct) output is the following :
-------
$ ./test_
Testing reproducer
This should fail
cp: cannot create regular file '/home/
Testing reproducer modified
This should fail
cp: cannot create regular file '/home/
Testing other cases
./test_
./test_
./test_
./test_
#######
CHECK LOWER
#######
CHECK UPPER
#######
CHECK OVERLAY
-------
We see that when "Testing reproducer" it fails so we are OK.
In addition, when "Testing other cases" we get 4 "Permission denied", which is
also the desired behaviour as a user is trying to write root-owned files.
In case, there's output after CHECK LOWER/UPPER/OERLAY something has gone wrong and needs
investigation. In the case above, nothing is printed so we're good.
[1] https:/
[2] https:/
[3] linux/Documenta
CVE References
Changed in linux (Ubuntu Xenial): | |
status: | New → Confirmed |
importance: | Undecided → High |
importance: | High → Medium |
assignee: | nobody → Ioanna Alifieraki (joalif) |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1851243
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.