From: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Sebastian Krahmer <krahmer-l3A5Bk7waGM@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Linux Kernel Mailing List
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: CLONE_NEWUSER|CLONE_FS root exploit
Date: Wed, 13 Mar 2013 18:48:23 -0700 [thread overview]
Message-ID: <51412C67.30908@mit.edu> (raw)
In-Reply-To: <87r4jjkv18.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
On 03/13/2013 11:35 AM, Eric W. Biederman wrote:
> Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org> writes:
>
>> Hi,
>>
>> It seem like we should block (at least) this combination. On 3.9, this
>> exploit works once uidmapping is added.
>>
>> http://www.openwall.com/lists/oss-security/2013/03/13/10
>
> Yes. That is a bad combination. It let's chroot confuse privileged
> processes.
>
> Now to figure out if this is easier to squash by adding a user_namespace
> to fs_struct or by just forbidding this combination.
It's worth making sure that setns(2) doesn't have similar issues.
Looking through other shared-but-not-a-namespace things, there are:
fs_struct: Buggy as noted.
files_struct: Probably harmless -- SCM_RIGHTS can emulate it
signal_struct: This interacts with the tty code. Is it okay?
sighand_struct: Looks safe. Famous last words.
FWIW, I've been alarmed in the past that struct path (e.g. the root
directory) implies an mnt_namespace (hidden in struct mount), and it's
entirely possible for the root directory's mnt_namespace not to match
nsproxy->mnt_namespace. I'm not sure what the implications are, but
this doesn't seem healthy.
--Andy
WARNING: multiple messages have this Message-ID (diff)
From: Andy Lutomirski <luto@amacapital.net>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Kees Cook <keescook@chromium.org>,
containers@lists.linux-foundation.org,
Sebastian Krahmer <krahmer@suse.de>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Oleg Nesterov <oleg@redhat.com>
Subject: Re: CLONE_NEWUSER|CLONE_FS root exploit
Date: Wed, 13 Mar 2013 18:48:23 -0700 [thread overview]
Message-ID: <51412C67.30908@mit.edu> (raw)
In-Reply-To: <87r4jjkv18.fsf@xmission.com>
On 03/13/2013 11:35 AM, Eric W. Biederman wrote:
> Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> writes:
>
>> Hi,
>>
>> It seem like we should block (at least) this combination. On 3.9, this
>> exploit works once uidmapping is added.
>>
>> http://www.openwall.com/lists/oss-security/2013/03/13/10
>
> Yes. That is a bad combination. It let's chroot confuse privileged
> processes.
>
> Now to figure out if this is easier to squash by adding a user_namespace
> to fs_struct or by just forbidding this combination.
It's worth making sure that setns(2) doesn't have similar issues.
Looking through other shared-but-not-a-namespace things, there are:
fs_struct: Buggy as noted.
files_struct: Probably harmless -- SCM_RIGHTS can emulate it
signal_struct: This interacts with the tty code. Is it okay?
sighand_struct: Looks safe. Famous last words.
FWIW, I've been alarmed in the past that struct path (e.g. the root
directory) implies an mnt_namespace (hidden in struct mount), and it's
entirely possible for the root directory's mnt_namespace not to match
nsproxy->mnt_namespace. I'm not sure what the implications are, but
this doesn't seem healthy.
--Andy
next prev parent reply other threads:[~2013-03-14 1:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-13 17:57 CLONE_NEWUSER|CLONE_FS root exploit Kees Cook
[not found] ` <20130313175729.GH12501-oSa+0FWJbaXR7s880joybQ@public.gmane.org>
2013-03-13 18:35 ` Eric W. Biederman
2013-03-13 18:35 ` Eric W. Biederman
[not found] ` <87r4jjkv18.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-14 1:48 ` Andy Lutomirski [this message]
2013-03-14 1:48 ` Andy Lutomirski
[not found] ` <51412C67.30908-3s7WtUTddSA@public.gmane.org>
2013-03-14 20:29 ` Eric W. Biederman
2013-03-14 20:29 ` Eric W. Biederman
[not found] ` <87hakdrai1.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-14 21:32 ` Andy Lutomirski
2013-03-14 21:32 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51412C67.30908@mit.edu \
--to=luto-klttt9wpgjjwatoyat5jvq@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=krahmer-l3A5Bk7waGM@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.