This bug was fixed in the package linux - 4.15.0-42.45
---------------
linux (4.15.0-42.45) bionic; urgency=medium
* linux: 4.15.0-42.45 -proposed tracker (LP: #1803592)
* [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405)
- KVM: s390: reset crypto attributes for all vcpus
- KVM: s390: vsie: simulate VCPU SIE entry/exit
- KVM: s390: introduce and use KVM_REQ_VSIE_RESTART
- KVM: s390: refactor crypto initialization
- s390: vfio-ap: base implementation of VFIO AP device driver
- s390: vfio-ap: register matrix device with VFIO mdev framework
- s390: vfio-ap: sysfs interfaces to configure adapters
- s390: vfio-ap: sysfs interfaces to configure domains
- s390: vfio-ap: sysfs interfaces to configure control domains
- s390: vfio-ap: sysfs interface to view matrix mdev matrix
- KVM: s390: interface to clear CRYCB masks
- s390: vfio-ap: implement mediated device open callback
- s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl
- s390: vfio-ap: zeroize the AP queues
- s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl
- KVM: s390: Clear Crypto Control Block when using vSIE
- KVM: s390: vsie: Do the CRYCB validation first
- KVM: s390: vsie: Make use of CRYCB FORMAT2 clear
- KVM: s390: vsie: Allow CRYCB FORMAT-2
- KVM: s390: vsie: allow CRYCB FORMAT-1
- KVM: s390: vsie: allow CRYCB FORMAT-0
- KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1
- KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2
- KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2
- KVM: s390: device attrs to enable/disable AP interpretation
- KVM: s390: CPU model support for AP virtualization
- s390: doc: detailed specifications for AP virtualization
- KVM: s390: fix locking for crypto setting error path
- KVM: s390: Tracing APCB changes
- s390: vfio-ap: setup APCB mask using KVM dedicated function
- s390/zcrypt: Add ZAPQ inline function.
- s390/zcrypt: Review inline assembler constraints.
- s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.
- s390/zcrypt: fix ap_instructions_available() returncodes
- s390/zcrypt: remove VLA usage from the AP bus
- s390/zcrypt: Remove deprecated ioctls.
- s390/zcrypt: Remove deprecated zcrypt proc interface.
- s390/zcrypt: Support up to 256 crypto adapters.
- [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module.
* Bypass of mount visibility through userns + mount propagation (LP: #1789161)
- mount: Retest MNT_LOCKED in do_umount
- mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
* CVE-2018-18955: nested user namespaces with more than five extents
incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955
- userns: also map extents in the reverse map to kernel IDs
* kdump fail due to an IRQ storm (LP: #1797990)
- SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
- SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
- SAUCE: x86/quirks: Scan all busses for early PCI quirks
-- Thadeu Lima de Souza Cascardo <casca...@canonical.com> Thu, 15 Nov
2018 17:01:46 -0200
** Changed in: linux (Ubuntu Bionic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1793458
Title:
Overlayfs in user namespace leaks directory content of inaccessible
directories
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Cosmic:
Fix Released
Status in linux source package in Disco:
In Progress
Bug description:
Summary: With a combination of overlayfs and user namespaces, regular
users can see the content of directories that would otherwise be
inaccessible to them because of directory permissions (e.g., all users
can see content of "/root").
Details: For the exploit it is necessary to create user and mount
namespaces and mount an overlayfs inside it. Ubuntu allows this for
regular users. The lower dir of the overlay would be "/", and the
upper dir an attacker-controlled temporary directory. If the attacker
wants to see the content of "/root", they would create a directory
"root" in the upper dir of the overlay. Overlays seems to get confused
about the permissions, and instead of applying the restrictive
permissions of "root" from the lower dir, it applies more relaxed
restrictions of "root" from the upper dir, granting the attacker the
possibility to list the directory contents of "/root".
To reproduce, simply run the attached script as regular user. It will show
the content of "/root", on my system the output is this:
```
/bin/ls: cannot access '/root/.cache': Permission denied
/bin/ls: cannot access '/root/.bashrc': Permission denied
/bin/ls: cannot access '/root/snap': Permission denied
/bin/ls: cannot access '/root/.gnupg': Permission denied
/bin/ls: cannot access '/root/.aptitude': Permission denied
/bin/ls: cannot access '/root/.bash_history': Permission denied
/bin/ls: cannot access '/root/.profile': Permission denied
/bin/ls: cannot access '/root/.hplip': Permission denied
total 8
drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 .
drwxr-xr-x 1 nobody nogroup 4096 Sep 20 09:02 ..
d????????? ? ? ? ? ? .aptitude
-????????? ? ? ? ? ? .bash_history
-????????? ? ? ? ? ? .bashrc
d????????? ? ? ? ? ? .cache
d????????? ? ? ? ? ? .gnupg
d????????? ? ? ? ? ? .hplip
-????????? ? ? ? ? ? .profile
d????????? ? ? ? ? ? snap
```
The script also has some comments that explain the necessary steps in
more details.
I tested on Ubuntu 18.04 with Linux 4.15.0-34-generic, but the bug
probably affects all Ubuntu versions of the last years. Other
distributions and the vanilla kernel should not be affected because
AFAIK only Ubuntu allows mounting of overlayfs inside user namespaces.
But of course it would be good to apply a potential fix upstream.
So far I did not succeed in doing more than leaking the directory
content, but of course that is no guarantee that it is not possible to
do worse things.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-34-generic 4.15.0-34.37
ProcVersionSignature: Ubuntu 4.15.0-34.37-generic 4.15.18
Uname: Linux 4.15.0-34-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.3
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC1: wendler 3414 F.... pulseaudio
/dev/snd/controlC0: wendler 3414 F.... pulseaudio
CurrentDesktop: Unity:Unity7:ubuntu
Date: Thu Sep 20 08:56:01 2018
HibernationDevice: RESUME=UUID=f9d1a1f9-50d2-4b7c-b7e4-66dc78d38062
InstallationDate: Installed on 2016-12-12 (646 days ago)
InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64
(20160719)
MachineType: LENOVO 20FXS1B700
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-34-generic
root=/dev/mapper/ubuntu--vg-root ro quiet splash
resume=/dev/mapper/ubuntu--vg-swap_1 swapaccount=1
RelatedPackageVersions:
linux-restricted-modules-4.15.0-34-generic N/A
linux-backports-modules-4.15.0-34-generic N/A
linux-firmware 1.173.1
SourcePackage: linux
UpgradeStatus: Upgraded to bionic on 2018-09-04 (15 days ago)
dmi.bios.date: 09/26/2016
dmi.bios.vendor: LENOVO
dmi.bios.version: R07ET71W (2.11 )
dmi.board.asset.tag: Not Available
dmi.board.name: 20FXS1B700
dmi.board.vendor: LENOVO
dmi.board.version: SDK0J40697 WIN
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: None
dmi.modalias:
dmi:bvnLENOVO:bvrR07ET71W(2.11):bd09/26/2016:svnLENOVO:pn20FXS1B700:pvrThinkPadT460p:rvnLENOVO:rn20FXS1B700:rvrSDK0J40697WIN:cvnLENOVO:ct10:cvrNone:
dmi.product.family: ThinkPad T460p
dmi.product.name: 20FXS1B700
dmi.product.version: ThinkPad T460p
dmi.sys.vendor: LENOVO
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1793458/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
