From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Sebastian Krahmer <krahmer-l3A5Bk7waGM@public.gmane.org>,
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Linux Kernel Mailing List
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: CLONE_NEWUSER|CLONE_FS root exploit
Date: Thu, 14 Mar 2013 13:29:10 -0700 [thread overview]
Message-ID: <87hakdrai1.fsf@xmission.com> (raw)
In-Reply-To: <51412C67.30908-3s7WtUTddSA@public.gmane.org> (Andy Lutomirski's message of "Wed, 13 Mar 2013 18:48:23 -0700")
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> writes:
> On 03/13/2013 11:35 AM, Eric W. Biederman wrote:
>> Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw-XMD5yJDbdMReXY1tMh2IBg@public.gmane.org> writes:
>>
>>> Hi,
>>>
>>> It seem like we should block (at least) this combination. On 3.9, this
>>> exploit works once uidmapping is added.
>>>
>>> http://www.openwall.com/lists/oss-security/2013/03/13/10
>>
>> Yes. That is a bad combination. It let's chroot confuse privileged
>> processes.
>>
>> Now to figure out if this is easier to squash by adding a user_namespace
>> to fs_struct or by just forbidding this combination.
>
> It's worth making sure that setns(2) doesn't have similar issues.
setns(2) and unshare(2) are done and merged. See commit.
commit e66eded8309ebf679d3d3c1f5820d1f2ca332c71
Author: Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Date: Wed Mar 13 11:51:49 2013 -0700
userns: Don't allow CLONE_NEWUSER | CLONE_FS
> Looking through other shared-but-not-a-namespace things, there are:
>
> fs_struct: Buggy as noted.
>
> files_struct: Probably harmless -- SCM_RIGHTS can emulate it
>
> signal_struct: This interacts with the tty code. Is it okay?
It should be. The tty code is heavily pid based, and CLONE_NEWPID
requires !CLONE_VM (which implies !CLONE_SIGHAND and !CLONE_VM).
> sighand_struct: Looks safe. Famous last words.
>
> FWIW, I've been alarmed in the past that struct path (e.g. the root
> directory) implies an mnt_namespace (hidden in struct mount), and it's
> entirely possible for the root directory's mnt_namespace not to match
> nsproxy->mnt_namespace. I'm not sure what the implications are, but
> this doesn't seem healthy.
The calls to check_mnt prevent abuse of the files found with fs_struct
not matching the current mount namespace.
static inline int check_mnt(struct mount *mnt)
{
return mnt->mnt_ns == current->nsproxy->mnt_ns;
}
Thanks for looking I know I did the same double take and wondered if I
had missed anything else by accident when this bug showed up.
So far even just looking it all over again I can't see anything. But I
have clearly been blind before.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Andy Lutomirski <luto@amacapital.net>
Cc: Kees Cook <keescook@chromium.org>,
containers@lists.linux-foundation.org,
Sebastian Krahmer <krahmer@suse.de>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Oleg Nesterov <oleg@redhat.com>
Subject: Re: CLONE_NEWUSER|CLONE_FS root exploit
Date: Thu, 14 Mar 2013 13:29:10 -0700 [thread overview]
Message-ID: <87hakdrai1.fsf@xmission.com> (raw)
In-Reply-To: <51412C67.30908@mit.edu> (Andy Lutomirski's message of "Wed, 13 Mar 2013 18:48:23 -0700")
Andy Lutomirski <luto@amacapital.net> writes:
> On 03/13/2013 11:35 AM, Eric W. Biederman wrote:
>> Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> writes:
>>
>>> Hi,
>>>
>>> It seem like we should block (at least) this combination. On 3.9, this
>>> exploit works once uidmapping is added.
>>>
>>> http://www.openwall.com/lists/oss-security/2013/03/13/10
>>
>> Yes. That is a bad combination. It let's chroot confuse privileged
>> processes.
>>
>> Now to figure out if this is easier to squash by adding a user_namespace
>> to fs_struct or by just forbidding this combination.
>
> It's worth making sure that setns(2) doesn't have similar issues.
setns(2) and unshare(2) are done and merged. See commit.
commit e66eded8309ebf679d3d3c1f5820d1f2ca332c71
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Wed Mar 13 11:51:49 2013 -0700
userns: Don't allow CLONE_NEWUSER | CLONE_FS
> Looking through other shared-but-not-a-namespace things, there are:
>
> fs_struct: Buggy as noted.
>
> files_struct: Probably harmless -- SCM_RIGHTS can emulate it
>
> signal_struct: This interacts with the tty code. Is it okay?
It should be. The tty code is heavily pid based, and CLONE_NEWPID
requires !CLONE_VM (which implies !CLONE_SIGHAND and !CLONE_VM).
> sighand_struct: Looks safe. Famous last words.
>
> FWIW, I've been alarmed in the past that struct path (e.g. the root
> directory) implies an mnt_namespace (hidden in struct mount), and it's
> entirely possible for the root directory's mnt_namespace not to match
> nsproxy->mnt_namespace. I'm not sure what the implications are, but
> this doesn't seem healthy.
The calls to check_mnt prevent abuse of the files found with fs_struct
not matching the current mount namespace.
static inline int check_mnt(struct mount *mnt)
{
return mnt->mnt_ns == current->nsproxy->mnt_ns;
}
Thanks for looking I know I did the same double take and wondered if I
had missed anything else by accident when this bug showed up.
So far even just looking it all over again I can't see anything. But I
have clearly been blind before.
Eric
next prev parent reply other threads:[~2013-03-14 20:29 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-13 17:57 CLONE_NEWUSER|CLONE_FS root exploit Kees Cook
[not found] ` <20130313175729.GH12501-oSa+0FWJbaXR7s880joybQ@public.gmane.org>
2013-03-13 18:35 ` Eric W. Biederman
2013-03-13 18:35 ` Eric W. Biederman
[not found] ` <87r4jjkv18.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-14 1:48 ` Andy Lutomirski
2013-03-14 1:48 ` Andy Lutomirski
[not found] ` <51412C67.30908-3s7WtUTddSA@public.gmane.org>
2013-03-14 20:29 ` Eric W. Biederman [this message]
2013-03-14 20:29 ` Eric W. Biederman
[not found] ` <87hakdrai1.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-03-14 21:32 ` Andy Lutomirski
2013-03-14 21:32 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87hakdrai1.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
--cc=krahmer-l3A5Bk7waGM@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.