From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751724AbbK2WnR (ORCPT <rfc822;w@1wt.eu>);
	Sun, 29 Nov 2015 17:43:17 -0500
Received: from a.ns.miles-group.at ([95.130.255.143]:11950 "EHLO radon.swed.at"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751203AbbK2WnO (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Sun, 29 Nov 2015 17:43:14 -0500
To: "netdev@vger.kernel.org" <netdev@vger.kernel.org>
From: Richard Weinberger <richard@nod.at>
Subject: user controllable usermodehelper in br_stp_if.c
X-Enigmail-Draft-Status: N1110
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "kernel-hardening@lists.openwall.com" 
	<kernel-hardening@lists.openwall.com>,
        "keescook@chromium.org" <keescook@chromium.org>,
        bridge@lists.linux-foundation.org,
        Stephen Hemminger <stephen@networkplumber.org>
Message-ID: <565B7F7D.80208@nod.at>
Date: Sun, 29 Nov 2015 23:43:09 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi!

By spawning new network and user namesapces an unprivileged user
is able to execute /sbin/bridge-stp within the initial mount namespace
with global root rights.
While this cannot directly be used to break out of a container or gain
global root rights it could be used by exploit writers as valuable building block.

e.g.
$ unshare -U -r -n /bin/sh
$ brctl addbr br0
$ brctl stp br0 on # this will execute /sbin/bridge-stp

As this mechanism clearly cannot work with containers and seems to be legacy code
I suggest not calling call_usermodehelper() at all if we're not in the initial user namespace.
What do you think?

Thanks,
//richard