group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #28347
[Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation
This bug was fixed in the package linux - 4.19.0-12.13
---------------
linux (4.19.0-12.13) disco; urgency=medium
* linux: 4.19.0-12.13 -proposed tracker (LP: #1813664)
* kernel oops in bcache module (LP: #1793901)
- SAUCE: bcache: never writeback a discard operation
* Disco update: 4.19.18 upstream stable release (LP: #1813611)
- ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address
- mlxsw: spectrum: Disable lag port TX before removing it
- mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion
- net: dsa: mv88x6xxx: mv88e6390 errata
- net, skbuff: do not prefer skb allocation fails early
- qmi_wwan: add MTU default to qmap network interface
- ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
- net: clear skb->tstamp in bridge forwarding path
- netfilter: ipset: Allow matching on destination MAC address for mac and
ipmac sets
- gpio: pl061: Move irq_chip definition inside struct pl061
- drm/amd/display: Guard against null stream_state in set_crc_source
- drm/amdkfd: fix interrupt spin lock
- ixgbe: allow IPsec Tx offload in VEPA mode
- platform/x86: asus-wmi: Tell the EC the OS will handle the display off
hotkey
- e1000e: allow non-monotonic SYSTIM readings
- usb: typec: tcpm: Do not disconnect link for self powered devices
- selftests/bpf: enable (uncomment) all tests in test_libbpf.sh
- of: overlay: add missing of_node_put() after add new node to changeset
- writeback: don't decrement wb->refcnt if !wb->bdi
- serial: set suppress_bind_attrs flag only if builtin
- bpf: Allow narrow loads with offset > 0
- ALSA: oxfw: add support for APOGEE duet FireWire
- x86/mce: Fix -Wmissing-prototypes warnings
- MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
- crypto: ecc - regularize scalar for scalar multiplication
- arm64: perf: set suppress_bind_attrs flag to true
- drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
- clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
- samples: bpf: fix: error handling regarding kprobe_events
- usb: gadget: udc: renesas_usb3: add a safety connection way for
forced_b_device
- fpga: altera-cvp: fix probing for multiple FPGAs on the bus
- selinux: always allow mounting submounts
- ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined
- scsi: qedi: Check for session online before getting iSCSI TLV data.
- drm/amdgpu: Reorder uvd ring init before uvd resume
- rxe: IB_WR_REG_MR does not capture MR's iova field
- efi/libstub: Disable some warnings for x86{,_64}
- jffs2: Fix use of uninitialized delayed_work, lockdep breakage
- clk: imx: make mux parent strings const
- pstore/ram: Do not treat empty buffers as valid
- media: uvcvideo: Refactor teardown of uvc on USB disconnect
- powerpc/xmon: Fix invocation inside lock region
- powerpc/pseries/cpuidle: Fix preempt warning
- media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
- ASoC: use dma_ops of parent device for acp_audio_dma
- media: venus: core: Set dma maximum segment size
- staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io'
- net: call sk_dst_reset when set SO_DONTROUTE
- scsi: target: use consistent left-aligned ASCII INQUIRY data
- scsi: target/core: Make sure that target_wait_for_sess_cmds() waits long
enough
- selftests: do not macro-expand failed assertion expressions
- arm64: kasan: Increase stack size for KASAN_EXTRA
- clk: imx6q: reset exclusive gates on init
- arm64: Fix minor issues with the dcache_by_line_op macro
- bpf: relax verifier restriction on BPF_MOV | BPF_ALU
- kconfig: fix file name and line number of warn_ignored_character()
- kconfig: fix memory leak when EOF is encountered in quotation
- mmc: atmel-mci: do not assume idle after atmci_request_end
- btrfs: volumes: Make sure there is no overlap of dev extents at mount time
- btrfs: alloc_chunk: fix more DUP stripe size handling
- btrfs: fix use-after-free due to race between replace start and cancel
- btrfs: improve error handling of btrfs_add_link
- tty/serial: do not free trasnmit buffer page under port lock
- perf intel-pt: Fix error with config term "pt=0"
- perf tests ARM: Disable breakpoint tests 32-bit
- perf svghelper: Fix unchecked usage of strncpy()
- perf parse-events: Fix unchecked usage of strncpy()
- perf vendor events intel: Fix Load_Miss_Real_Latency on SKL/SKX
- netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set
- netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine
- netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine
- x86/topology: Use total_cpus for max logical packages calculation
- dm crypt: use u64 instead of sector_t to store iv_offset
- dm kcopyd: Fix bug causing workqueue stalls
- perf stat: Avoid segfaults caused by negated options
- tools lib subcmd: Don't add the kernel sources to the include path
- dm snapshot: Fix excessive memory usage and workqueue stalls
- perf cs-etm: Correct packets swapping in cs_etm__flush()
- perf tools: Add missing sigqueue() prototype for systems lacking it
- perf tools: Add missing open_memstream() prototype for systems lacking it
- quota: Lock s_umount in exclusive mode for Q_XQUOTA{ON,OFF} quotactls.
- clocksource/drivers/integrator-ap: Add missing of_node_put()
- dm: Check for device sector overflow if CONFIG_LBDAF is not set
- Bluetooth: btusb: Add support for Intel bluetooth device 8087:0029
- ALSA: bebob: fix model-id of unit for Apogee Ensemble
- sysfs: Disable lockdep for driver bind/unbind files
- IB/usnic: Fix potential deadlock
- scsi: mpt3sas: fix memory ordering on 64bit writes
- scsi: smartpqi: correct lun reset issues
- ath10k: fix peer stats null pointer dereference
- scsi: smartpqi: call pqi_free_interrupts() in pqi_shutdown()
- scsi: megaraid: fix out-of-bound array accesses
- iomap: don't search past page end in iomap_is_partially_uptodate
- ocfs2: fix panic due to unrecovered local alloc
- mm/page-writeback.c: don't break integrity writeback on ->writepage() error
- mm/swap: use nr_node_ids for avail_lists in swap_info_struct
- userfaultfd: clear flag if remap event not enabled
- mm, proc: be more verbose about unstable VMA flags in /proc/<pid>/smaps
- iwlwifi: mvm: Send LQ command as async when necessary
- Bluetooth: Fix unnecessary error message for HCI request completion
- ipmi: fix use-after-free of user->release_barrier.rda
- ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
- ipmi: Prevent use-after-free in deliver_response
- ipmi:ssif: Fix handling of multi-part return messages
- ipmi: Don't initialize anything in the core until something uses it
- Linux 4.19.18
* tls selftest failures/hangs on i386 (LP: #1813607)
- [Config] CONFIG_TLS=n for i386
* Intel XL710 - i40e driver does not work with kernel 4.15 (Ubuntu 18.04)
(LP: #1779756)
- i40e: prevent overlapping tx_timeout recover
* Disco update: 4.19.17 upstream stable release (LP: #1813016)
- tty/ldsem: Wake up readers after timed out down_write()
- tty: Don't hold ldisc lock in tty_reopen() if ldisc present
- can: gw: ensure DLC boundaries after CAN frame modification
- netfilter: nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS
- netfilter: nf_conncount: split gc in two phases
- netfilter: nf_conncount: restart search when nodes have been erased
- netfilter: nf_conncount: merge lookup and add functions
- netfilter: nf_conncount: move all list iterations under spinlock
- netfilter: nf_conncount: speculative garbage collection on empty lists
- netfilter: nf_conncount: fix argument order to find_next_bit
- mmc: sdhci-msm: Disable CDR function on TX
- Revert "scsi: target: iscsi: cxgbit: fix csk leak"
- scsi: target: iscsi: cxgbit: fix csk leak
- scsi: target: iscsi: cxgbit: fix csk leak
- arm64/kvm: consistently handle host HCR_EL2 flags
- arm64: Don't trap host pointer auth use to EL2
- ipv6: fix kernel-infoleak in ipv6_local_error()
- net: bridge: fix a bug on using a neighbour cache entry without checking its
state
- packet: Do not leak dev refcounts on error exit
- tcp: change txhash on SYN-data timeout
- tun: publish tfile after it's fully initialized
- lan743x: Remove phy_read from link status change function
- smc: move unhash as early as possible in smc_release()
- r8169: don't try to read counters if chip is in a PCI power-save state
- bonding: update nest level on unlink
- ip: on queued skb use skb_header_pointer instead of pskb_may_pull
- r8169: load Realtek PHY driver module before r8169
- crypto: sm3 - fix undefined shift by >= width of value
- crypto: caam - fix zero-length buffer DMA mapping
- crypto: authencesn - Avoid twice completion call in decrypt path
- crypto: ccree - convert to use crypto_authenc_extractkeys()
- crypto: bcm - convert to use crypto_authenc_extractkeys()
- crypto: authenc - fix parsing key with misaligned rta_len
- crypto: talitos - reorder code in talitos_edesc_alloc()
- crypto: talitos - fix ablkcipher for CONFIG_VMAP_STACK
- xen: Fix x86 sched_clock() interface for xen
- Revert "btrfs: balance dirty metadata pages in btrfs_finish_ordered_io"
- btrfs: wait on ordered extents on abort cleanup
- Yama: Check for pid death before checking ancestry
- scsi: core: Synchronize request queue PM status only on successful resume
- scsi: sd: Fix cache_type_store()
- mips: fix n32 compat_ipc_parse_version
- MIPS: BCM47XX: Setup struct device for the SoC
- MIPS: lantiq: Fix IPI interrupt handling
- drm/i915/gvt: Fix mmap range check
- OF: properties: add missing of_node_put
- mfd: tps6586x: Handle interrupts on suspend
- media: v4l: ioctl: Validate num_planes for debug messages
- RDMA/nldev: Don't expose unsafe global rkey to regular user
- RDMA/vmw_pvrdma: Return the correct opcode when creating WR
- kbuild: Disable LD_DEAD_CODE_DATA_ELIMINATION with ftrace & GCC <= 4.7
- net: dsa: realtek-smi: fix OF child-node lookup
- pstore/ram: Avoid allocation and leak of platform data
- arm64: kaslr: ensure randomized quantities are clean to the PoC
- arm64: dts: marvell: armada-ap806: reserve PSCI area
- Disable MSI also when pcie-octeon.pcie_disable on
- fix int_sqrt64() for very large numbers
- omap2fb: Fix stack memory disclosure
- media: vivid: fix error handling of kthread_run
- media: vivid: set min width/height to a value > 0
- bpf: in __bpf_redirect_no_mac pull mac only if present
- ipv6: make icmp6_send() robust against null skb->dev
- LSM: Check for NULL cred-security on free
- media: vb2: vb2_mmap: move lock up
- sunrpc: handle ENOMEM in rpcb_getport_async
- netfilter: ebtables: account ebt_table_info to kmemcg
- block: use rcu_work instead of call_rcu to avoid sleep in softirq
- selinux: fix GPF on invalid policy
- blockdev: Fix livelocks on loop device
- sctp: allocate sctp_sockaddr_entry with kzalloc
- tipc: fix uninit-value in in tipc_conn_rcv_sub
- tipc: fix uninit-value in tipc_nl_compat_link_reset_stats
- tipc: fix uninit-value in tipc_nl_compat_bearer_enable
- tipc: fix uninit-value in tipc_nl_compat_link_set
- tipc: fix uninit-value in tipc_nl_compat_name_table_dump
- tipc: fix uninit-value in tipc_nl_compat_doit
- block/loop: Don't grab "struct file" for vfs_getattr() operation.
- block/loop: Use global lock for ioctl() operation.
- loop: Fold __loop_release into loop_release
- loop: Get rid of loop_index_mutex
- loop: Push lo_ctl_mutex down into individual ioctls
- loop: Split setting of lo_state from loop_clr_fd
- loop: Push loop_ctl_mutex down into loop_clr_fd()
- loop: Push loop_ctl_mutex down to loop_get_status()
- loop: Push loop_ctl_mutex down to loop_set_status()
- loop: Push loop_ctl_mutex down to loop_set_fd()
- loop: Push loop_ctl_mutex down to loop_change_fd()
- loop: Move special partition reread handling in loop_clr_fd()
- loop: Move loop_reread_partitions() out of loop_ctl_mutex
- loop: Fix deadlock when calling blkdev_reread_part()
- loop: Avoid circular locking dependency between loop_ctl_mutex and bd_mutex
- loop: Get rid of 'nested' acquisition of loop_ctl_mutex
- loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()
- loop: drop caches if offset or block_size are changed
- drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock
- selftests: Fix test errors related to lib.mk khdr target
- media: vb2: be sure to unlock mutex on errors
- nbd: Use set_blocksize() to set device blocksize
- Linux 4.19.17
* Enable sound card power saving by default (LP: #1804265)
- [Config] CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1
* Fix non-working QCA Rome Bluetooth after S3 (LP: #1812812)
- USB: Add new USB LPM helpers
- USB: Consolidate LPM checks to avoid enabling LPM twice
* [SRU] Fix Xorg crash with nomodeset when BIOS enable 64-bit fb addr
(LP: #1812797)
- vgaarb: Add support for 64-bit frame buffer address
- vgaarb: Keep adding VGA device in queue
* bluetooth controller not detected with 4.15 kernel (LP: #1810797)
- SAUCE: btqcomsmd: introduce BT_QCOMSMD_HACK
- [Config] arm64: snapdragon: BT_QCOMSMD_HACK=y
* [19.04 FEAT| Enable virtio-gpu for s390x (LP: #1799467)
- [Config] enable virtio-gpu for s390x
* Miscellaneous Ubuntu changes
- Revert "UBUNTU: SAUCE: selftests: disable some failing networking tests"
- SAUCE: selftests: net: replace AF_MAX with INT_MAX in socket.c
- SAUCE: selftests/ftrace: Fix tab expansion in trace_marker snapshot trigger
test
- update dkms package versions
* Miscellaneous upstream changes
- selftests/ftrace: Fix checkbashisms errors
- selftests/powerpc/pmu: Link ebb tests with -no-pie
-- Seth Forshee <seth.forshee@xxxxxxxxxxxxx> Mon, 28 Jan 2019 15:38:30
-0600
** Changed in: linux (Ubuntu Disco)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1789161
Title:
Bypass of mount visibility through userns + mount propagation
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Cosmic:
Fix Released
Status in linux source package in Disco:
Fix Released
Bug description:
[Impact]
Jonathan Calmels from NVIDIA reported that he's able to bypass the
mount visibility security check in place in the Linux kernel by using
a combination of the unbindable property along with the private mount
propagation option to allow a unprivileged user to see a path which
was purposefully hidden by the root user.
[Test Case]
Reproducer:
# Hide a path to all users using a tmpfs
root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
root@castiana:~#
# As an unprivileged user, unshare user namespace and mount namespace
stgraber@castiana:~$ unshare -U -m -r
# Confirm the path is still not accessible
root@castiana:~# ls /sys/devices/
# Make /sys recursively unbindable and private
root@castiana:~# mount --make-runbindable /sys
root@castiana:~# mount --make-private /sys
# Recursively bind-mount the rest of /sys over to /mnnt
root@castiana:~# mount --rbind /sys/ /mnt
# Access our hidden /sys/device as an unprivileged user
root@castiana:~# ls /mnt/devices/
breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual
[Regression Potential]
Low. The fixes are relatively simple. Regressions would most likely be
specific to software utilizing user namespaces + mount propagation
which is a small (but often important) portion of the Ubuntu archive.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions