kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #162258
[Bug 1535150] Re: overlayfs over fuse should refuse copy_up of files if uid/gid not mapped
** Tags added: patch
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1535150
Title:
overlayfs over fuse should refuse copy_up of files if uid/gid not
mapped
Status in linux package in Ubuntu:
Confirmed
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Released
Status in linux source package in Wily:
Fix Released
Status in linux source package in Xenial:
Confirmed
Bug description:
On Ubuntu Wily it is possible to place an USERNS overlayfs mount over
a fuse mount. The fuse filesystem may contain SUID binaries, but those
cannot be executed due to nosuid mount options. But when touching such
an SUID binary via overlayfs mount, this will trigger copy_up
including all file attributes, thus creating a real SUID binary on the
disk.
Sequence:
* Mount fuse filesystem exposing one world writable SUID binary
* Create USERNS
* Mount overlayfs on top of fuse
* open the SUID binary RDWR in overlayfs, thus triggering copy_up
Afterwards the SUID binary can be invoked to gain root privileges.
For additional information, test tool see
http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/
(InvitedOnly/3YD9ufze) and attached sharing policy.
$ lsb_release -rd
Description: Ubuntu 15.10
Release: 15.10
$ apt-cache policy linux-image-4.2.0-23-generic
linux-image-4.2.0-23-generic:
Installed: 4.2.0-23.28
Candidate: 4.2.0-23.28
Version table:
*** 4.2.0-23.28 0
500 http://archive.ubuntu.com/ubuntu/ wily-updates/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu/ wily-security/main amd64 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1535150/+subscriptions
