group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #34447
[Bug 1851243] Re: overlayfs : broken access to r/w files
This bug was fixed in the package linux - 4.4.0-174.204
---------------
linux (4.4.0-174.204) xenial; urgency=medium
* xenial/linux: 4.4.0-174.204 -proposed tracker (LP: #1861122)
* Xenial update: 4.4.211 upstream stable release (LP: #1860681)
- hidraw: Return EPOLLOUT from hidraw_poll
- HID: hidraw: Fix returning EPOLLOUT from hidraw_poll
- HID: hidraw, uhid: Always report EPOLLOUT
- cfg80211/mac80211: make ieee80211_send_layer2_update a public function
- mac80211: Do not send Layer 2 Update frame before authorization
- media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap
- p54usb: Fix race between disconnect and firmware loading
- ALSA: line6: Fix write on zero-sized buffer
- ALSA: line6: Fix memory leak at line6_init_pcm() error path
- xen: let alloc_xenballooned_pages() fail if not enough memory free
- wimax: i2400: fix memory leak
- wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle
- ext4: fix use-after-free race with debug_want_extra_isize
- ext4: add more paranoia checking in ext4_expand_extra_isize handling
- rtc: mt6397: fix alarm register overwrite
- iommu: Remove device link to group on failure
- gpio: Fix error message on out-of-range GPIO in lookup table
- hsr: reset network header when supervision frame is created
- cifs: Adjust indentation in smb2_open_file
- RDMA/srpt: Report the SCSI residual to the initiator
- scsi: enclosure: Fix stale device oops with hot replug
- scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI
- platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0
- iio: imu: adis16480: assign bias value only if operation succeeded
- mei: fix modalias documentation
- clk: samsung: exynos5420: Preserve CPU clocks configuration during
suspend/resume
- compat_ioctl: handle SIOCOUTQNSD
- tty: serial: imx: use the sg count from dma_map_sg
- tty: serial: pch_uart: correct usage of dma_unmap_sg
- media: exynos4-is: Fix recursive locking in isp_video_release()
- spi: atmel: fix handling of cs_change set on non-last xfer
- rtlwifi: Remove unnecessary NULL check in rtl_regd_init
- rtc: msm6242: Fix reading of 10-hour digit
- rseq/selftests: Turn off timeout setting
- hexagon: work around compiler crash
- ocfs2: call journal flush to mark journal as empty after journal recovery
when mount
- ALSA: seq: Fix racy access for queue timer in proc read
- Fix built-in early-load Intel microcode alignment
- block: fix an integer overflow in logical block size
- USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
- USB: serial: opticon: fix control-message timeouts
- USB: serial: suppress driver bind attributes
- USB: serial: ch341: handle unbound port at reset_resume
- USB: serial: io_edgeport: add missing active-port sanity check
- USB: serial: quatech2: handle unbound ports
- scsi: mptfusion: Fix double fetch bug in ioctl
- usb: core: hub: Improved device recognition on remote wakeup
- x86/efistub: Disable paging at mixed mode entry
- mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio()
- net: stmmac: 16KB buffer must be 16 byte aligned
- net: stmmac: Enable 16KB buffer size
- USB: serial: io_edgeport: use irqsave() in USB's complete callback
- USB: serial: io_edgeport: handle unbound ports on URB completion
- USB: serial: keyspan: handle unbound ports
- scsi: fnic: use kernel's '%pM' format option to print MAC
- scsi: fnic: fix invalid stack access
- arm64: dts: agilex/stratix10: fix pmu interrupt numbers
- netfilter: fix a use-after-free in mtype_destroy()
- batman-adv: Fix DAT candidate selection on little endian systems
- macvlan: use skb_reset_mac_header() in macvlan_queue_xmit()
- r8152: add missing endpoint sanity check
- tcp: fix marked lost packets not being retransmitted
- net: usb: lan78xx: limit size of local TSO packets
- xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk
- cw1200: Fix a signedness bug in cw1200_load_firmware()
- cfg80211: check for set_wiphy_params
- scsi: esas2r: unlock on error in esas2r_nvram_read_direct()
- scsi: qla4xxx: fix double free bug
- scsi: bnx2i: fix potential use after free
- scsi: target: core: Fix a pr_debug() argument
- scsi: core: scsi_trace: Use get_unaligned_be*()
- perf probe: Fix wrong address verification
- regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id
- Linux 4.4.211
* Xenial update: 4.4.210 upstream stable release (LP: #1859865)
- chardev: Avoid potential use-after-free in 'chrdev_open()'
- usb: chipidea: host: Disable port power only if previously enabled
- ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5
- kernel/trace: Fix do not unregister tracepoints when register
sched_migrate_task fail
- tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined
- HID: Fix slab-out-of-bounds read in hid_field_extract
- HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
- HID: hid-input: clear unmapped usages
- Input: add safety guards to input_set_keycode()
- drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
- can: gs_usb: gs_usb_probe(): use descriptors of current altsetting
- can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling
to irq mode
- can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing
CAN sk_buffs
- staging: vt6656: set usb_set_intfdata on driver fail.
- USB: serial: option: add ZLP support for 0x1bc7/0x9010
- usb: musb: Disable pullup at init
- usb: musb: dma: Correct parameter passed to IRQ handler
- staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
- tty: link tty and port before configuring it as console
- tty: always relink the port
- mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf
- scsi: bfa: release allocated memory in case of error
- rtl8xxxu: prevent leaking urb
- USB: Fix: Don't skip endpoint descriptors with maxpacket=0
- netfilter: arp_tables: init netns pointer in xt_tgchk_param struct
- netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
- Linux 4.4.210
* Xenial update: 4.4.209 upstream stable release (LP: #1859640)
- PM / devfreq: Don't fail devfreq_dev_release if not in list
- RDMA/cma: add missed unregister_pernet_subsys in init failure
- scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func
- scsi: qla2xxx: Don't call qlt_async_event twice
- scsi: iscsi: qla4xxx: fix double free in probe
- scsi: libsas: stop discovering if oob mode is disconnected
- usb: gadget: fix wrong endpoint desc
- md: raid1: check rdev before reference in raid1_sync_request func
- s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits
- s390/cpum_sf: Avoid SBD overflow condition in irq handler
- xen/balloon: fix ballooned page accounting without hotplug enabled
- xfs: fix mount failure crash on invalid iclog memory access
- taskstats: fix data-race
- ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code
- MIPS: Avoid VDSO ABI breakage due to global register variable
- locks: print unsigned ino in /proc/locks
- dmaengine: Fix access to uninitialized dma_slave_caps
- compat_ioctl: block: handle Persistent Reservations
- gpiolib: fix up emulated open drain outputs
- ALSA: cs4236: fix error return comparison of an unsigned integer
- ftrace: Avoid potential division by zero in function profiler
- Bluetooth: btusb: fix PM leak in error case of setup
- Bluetooth: delete a stray unlock
- tty: serial: msm_serial: Fix lockup for sysrq and oops
- drm/mst: Fix MST sideband up-reply failure handling
- powerpc/pseries/hvconsole: Fix stack overread via udbg
- ath9k_htc: Modify byte order for an error message
- ath9k_htc: Discard undersized packets
- net: add annotations on hh->hh_len lockless accesses
- s390/smp: fix physical to logical CPU map for SMT
- locking/x86: Remove the unused atomic_inc_short() methd
- pstore/ram: Write new dumps to start of recycled zones
- locking/spinlock/debug: Fix various data races
- netfilter: ctnetlink: netns exit must wait for callbacks
- ARM: vexpress: Set-up shared OPP table instead of individual for each CPU
- netfilter: uapi: Avoid undefined left-shift in xt_sctp.h
- ARM: dts: am437x-gp/epos-evm: fix panel compatible
- powerpc: Ensure that swiotlb buffer is allocated from low memory
- bnx2x: Do not handle requests from VFs after parity
- bnx2x: Fix logic to get total no. of PFs per engine
- net: usb: lan78xx: Fix error message format specifier
- rfkill: Fix incorrect check to avoid NULL pointer dereference
- ASoC: wm8962: fix lambda value
- regulator: rn5t618: fix module aliases
- kconfig: don't crash on NULL expressions in expr_eq()
- parisc: Fix compiler warnings in debug_core.c
- llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c)
- net: stmmac: dwmac-sunxi: Allow all RGMII modes
- net: usb: lan78xx: fix possible skb leak
- pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM
- sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY
- tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK
- vlan: vlan_changelink() should propagate errors
- vlan: fix memory leak in vlan_dev_set_egress_priority
- vxlan: fix tos value before xmit
- macvlan: do not assume mac_header is set in macvlan_broadcast()
- USB: core: fix check for duplicate endpoints
- USB: serial: option: add Telit ME910G1 0x110a composition
- Linux 4.4.209
* overlayfs : broken access to r/w files (LP: #1851243)
- SAUCE: Revert "ovl: modify ovl_permission() to do checks on two inodes"
* net selftest psock_fanout fails on xenial s390x due to incorrect queue
lengths (LP: #1853375)
- selftests/net: cleanup unused parameter in psock_fanout
- selftests/net: ignore background traffic in psock_fanout
* multi-zone raid0 corruption (LP: #1850540)
- md/raid0: avoid RAID0 data corruption due to layout confusion.
- md: add feature flag MD_FEATURE_RAID0_LAYOUT
- md/raid0: fix warning message for parameter default_layout
- md/raid0: Fix an error message in raid0_make_request()
- SAUCE: md/raid0: Link to wiki with guidance on multi-zone RAID0 layout
migration
- SAUCE: md/raid0: Use kernel specific layout
* CVE-2019-20096
- dccp: Fix memleak in __feat_register_sp
-- Khalid Elmously <khalid.elmously@xxxxxxxxxxxxx> Wed, 29 Jan 2020
00:47:22 -0500
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-20096
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1851243
Title:
overlayfs : broken access to r/w files
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
Fix Released
Bug description:
[Description]
Commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes) (upstream id) breaks r/w access in overlayfs in 4.4 ubuntu kernels, later ubuntu kernels are not affected.
There are two options to fix this either (a) backport ce31513a9114(ovl: copyattr after setting POSIX ACL) to 4.4 or (b) revert offending commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes).
Option (a) has high risk of regression since ce31513a9114(ovl: copyattr after setting POSIX ACL) has many dependencies on other commits that need to be backported too.
We'll proceed with reverting c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes).
This commit is associated with CVE-2018-16597, however 4.4 kernels (both ubuntu and upstream) are NOT affected by this cve so it's safe to revert it.
The offending commit was introduced upstream in v4.8-rc1. At this point had nothing to do with any CVE.
It was related with CVE-2018-16597 as it was the fix for bug [1].
Then it was backported to stable 4.4 and this way it ended up in Ubuntu 4.4 kernels.
[Test Case]
----> Offending commit breaks r/w access in overlayfs
Reproducer available in [2].
To run the reproducer :
$./make-overlay.sh
$./test.sh
# With the offending commit in place :
$ ./test.sh
st_mode is 100644
open failed: -1
cat: /tmp/overlay/animal: Permission denied <---- Breaks access
-rw-r--r-- 1 jo jo 0 Oct 11 09:57 /tmp/overlay/animal
# With the offending commit reverted :
$ ./test.sh
st_mode is 100644
-rw-r--r-- 1 jo jo 0 Oct 11 16:01 /tmp/overlay/animal
[Other]
----> Test whether 4.4 kernels are affected by CVE-2018-16597
Since offending commit c0ca3d70e8d3(ovl: modify ovl_permission() to do
checks on two inodes) is related with CVE-2018-16597 a test script is
provided to confirm that 4.4 kernel are not affected by this cve and
therefore is safe to revert the commit.
Kernels tested :
4.4 ESM kernels :
- 4.4.0-1057-aws (offending reverted) PASS
- 4.4.0-167-generic (offending reverted) PASS
4.4 AWS Kenrels (not esm) :
- 4.4.0-1097-aws as is PASS
- 4.4.0-1097-aws offending reverted PASS
4.4 Generic kernels (not esm) :
- 4.4.0-165-generic as is PASS
- 4.4.0-165-generic (offending reverted) PASS
Upstream kernels :
- latest upstream PASS
- upstream at offending PASS
- upstream before offending PASS
- 4.4 stable before offending PASS
### DETAILS
A simple script is attached (test_overlay_permission.sh) to test whether ubuntu 4.4 kernels are affected by CVE-2018-16597.
They are not. Neither is the stable 4.4.y upstream kernel.
The script tests for the reproducer found in [1] and a modified version
of it that doesn't breaks the following (quoting from [3] ):
"Changes to the underlying filesystems while part of a mounted overlay
filesystem are not allowed. If the underlying filesystem is changed,
the behavior of the overlay is undefined, though it will not result in
a crash or deadlock."
These two test cases should fail. So, expect to see
"cp: cannot create regular file <the file we're writing>: Permission denied".
Then there are a few other test cases (files placed in lower/upper dirs and owned
by root/user).
The script checks the contents of the files at the end and reports anything wrong by printing :
Problem with file <file>
and then cat-ing the file and listing the permissions.
An example (correct) output is the following :
----------------------------------------------------------------------
$ ./test_overlay_permission.sh
Testing reproducer
This should fail
cp: cannot create regular file '/home/jo/test_cve/overlay/bash': Permission denied
Testing reproducer modified
This should fail
cp: cannot create regular file '/home/jo/test_cve/overlay/bash': Permission denied
Testing other cases
./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/after_mount_root: Permission denied
./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/both_root: Permission denied
./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/lower_only_root: Permission denied
./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/upper_only_root: Permission denied
##########################################################
CHECK LOWER
##########################################################
CHECK UPPER
##########################################################
CHECK OVERLAY
----------------------------------------------------------------------
We see that when "Testing reproducer" it fails so we are OK.
In addition, when "Testing other cases" we get 4 "Permission denied", which is
also the desired behaviour as a user is trying to write root-owned files.
In case, there's output after CHECK LOWER/UPPER/OERLAY something has gone wrong and needs
investigation. In the case above, nothing is printed so we're good.
[1] https://bugzilla.suse.com/show_bug.cgi?id=1106512#c0
[2] https://gist.github.com/thomas-holmes/711bcdb28e2b8e6d1c39c1d99d292af7
[3] linux/Documentation/overlayfs.txt
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851243/+subscriptions
References
