From: ebiederm@xmission.com (Eric W. Biederman)
To: Ben Hutchings <ben@decadent.org.uk>
Cc: stable@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sasha.levin@oracle.com>,
Jiri Slaby <jirislaby@gmail.com>,
Willy Tarreau <willy@meta-x.org>, Li Zefan <lizefan@huawei.com>
Subject: Re: [PATCHES] Bind mount escape fixes (CVE-2015-2925)
Date: Fri, 02 Oct 2015 11:01:31 -0500 [thread overview]
Message-ID: <87vbaptg2s.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <87k2r6ueyd.fsf@x220.int.ebiederm.org> (Eric W. Biederman's message of "Thu, 01 Oct 2015 22:28:10 -0500")
ebiederm@xmission.com (Eric W. Biederman) writes:
> Ben Hutchings <ben@decadent.org.uk> writes:
>
>> On Thu, 2015-10-01 at 11:15 -0500, Eric W. Biederman wrote:
>>> With a strategically placed rename bind mounts can be tricked into
>>> giving processes access to the entire filesystem instead of just a piece
>>> of it. This misfeature has existed since bind mounts were introduced
>>> into the kernel. This issue has been fixed in Linus's tree and below
>>> are my tested backports of the fixes to 4.2.1, 4.1.8, 3.18.21, 3.14.53,
>>> 3.12.48, 3.10.89, 3.4.109, 3.2.71, 2.6.32.68. All of the kernels
>>> currently listed as being active.
>>
>> I'm not convinced that this is necessary for the 2.6.32, 3.2 or 3.4
>> stable branches. While it is possible for an administrator to screw
>> this up, there is no possibility of a user being able to exploit this
>> from a user namespace where they have namespaced-CAP_SYS_ADMIN.
>
> It is cheap and easy to fix. I made and tested the changes. So why
> not.
>
Having thought about this I definitely think we need this on older
kernels. I am aware of at least one piece of software that predates
2.6.32 is vulnerable to this escape.
The software in all innocence bind mounted a users /home directory into
a root filesystem that was stored in the users /home directory. That
is enough to allow the escape with a simple unprivileged rename.
So since this is actually exploitable on real userspace software that
predates 2.6.32 I think this fix needs to be backported, as it is not
a theoretical issue.
Eric
next prev parent reply other threads:[~2015-10-02 16:10 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-01 16:15 [PATCHES] Bind mount escape fixes (CVE-2015-2925) Eric W. Biederman
2015-10-01 23:08 ` Willy Tarreau
2015-10-02 2:45 ` Ben Hutchings
2015-10-02 3:28 ` Eric W. Biederman
2015-10-02 16:01 ` Eric W. Biederman [this message]
2015-10-03 1:48 ` Ben Hutchings
2015-10-03 6:12 ` Willy Tarreau
2015-10-02 9:26 ` Jiri Slaby
2015-10-05 10:34 ` Luis Henriques
2015-10-08 1:08 ` Ben Hutchings
2015-10-08 5:11 ` Willy Tarreau
2015-10-18 0:01 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87vbaptg2s.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=ben@decadent.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jirislaby@gmail.com \
--cc=lizefan@huawei.com \
--cc=sasha.levin@oracle.com \
--cc=stable@vger.kernel.org \
--cc=willy@meta-x.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.