kernel-packages team mailing list archive

Thread
Date
[Bug 1559725] Re: Security bug of overlayfs in linux image kernel

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Tyler Hicks <tyhicks@xxxxxxxxxxxxx>
Date: Thu, 24 Mar 2016 06:34:08 -0000
Reply-to: Bug 1559725 <1559725@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
I'm setting this bug to public since there is no security concern.
Thanks!

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1559725

Title:
  Security bug of overlayfs in linux image kernel

Status in linux package in Ubuntu:
  Invalid

Bug description:
  sudo bash

  mkdir -p lower/a upper work merge

  touch lower/a/{1,2,3,4}

  mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work
  merge/           # In "merge/a", there should be "1,2,3,4"

  rm -rf merge/a          # Delete all files in "merge/a" as well as
  folder itself

  mkdir merge/a          # In "merge/a", there should be no files

  touch merge/a/5      # In "merge/a", there should be only one file "5"

  umount -l merge/

  tar czvf layer.tgz upper/      # Store this layer

  rm -rf upper/           # remove folder, assume we want to reconstruct
  merge folder by this layer on another machine

  tar xzvf layer.tgz              # Restore layer data

  mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work
  merge/   # Oops, why "1,2,3,4" exist in "merge/a" ?

  -------------------------------------------------------

  Wrong exposure of "1,2,3,4" might cause:

  1) applications to crash (such as reading
  "/etc/apt/sources.d/{1,2,..}")

  2) "1,2,3,4" might be dangerous virus which are supposed to be cleaned
  but exposure

  -------------------------------------------------------

  Aufs doesn't have this bug.

  If we change "mount -t overlay overlay
  -olowerdir=lower,upperdir=upper,workdir=work merge/" above into ->

  "mount -t aufs -o br=upper=rw:lower=ro+wh none merge/",

  and all of other commands don't change, then the final result in
  "merge/a/" are what we supposed to be.

  -------------------------------------------------------

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: linux-image-generic 4.4.0.13.14
  ProcVersionSignature: Ubuntu 4.4.0-13.29-generic 4.4.5
  Uname: Linux 4.4.0-13-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
  AlsaVersion: Advanced Linux Sound Architecture Driver Version k4.4.0-13-generic.
  ApportVersion: 2.20-0ubuntu3
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC0:  ghostplant   2995 F.... pulseaudio
   /dev/snd/controlC1:  ghostplant   2995 F.... pulseaudio
  CurrentDesktop: GNOME-Flashback:Unity
  Date: Sun Mar 20 22:56:55 2016
  JournalErrors:
   Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system.
         Users in the 'systemd-journal' group can see all messages. Pass -q to
         turn off this notice.
   No journal files were opened due to insufficient permissions.
  MachineType: Micro-Star International Co., Ltd. GE60 2PG
  PciMultimedia:

  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-13-generic root=UUID=f584608e-f90a-445b-b845-cf3eb246a0d1 ro quiet swapaccount=1
  RelatedPackageVersions:
   linux-restricted-modules-4.4.0-13-generic N/A
   linux-backports-modules-4.4.0-13-generic  N/A
   linux-firmware                            1.156
  SourcePackage: linux
  UpgradeStatus: No upgrade log present (probably fresh install)
  WifiSyslog:

  dmi.bios.date: 12/01/2014
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: E16GFIMS.626
  dmi.board.asset.tag: To be filled by O.E.M.
  dmi.board.name: MS-16GF
  dmi.board.vendor: Micro-Star International Co., Ltd.
  dmi.board.version: REV:0.B
  dmi.chassis.asset.tag: To Be Filled By O.E.M.
  dmi.chassis.type: 3
  dmi.chassis.vendor: To Be Filled By O.E.M.
  dmi.chassis.version: To Be Filled By O.E.M.
  dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrE16GFIMS.626:bd12/01/2014:svnMicro-StarInternationalCo.,Ltd.:pnGE602PG:pvrREV1.0:rvnMicro-StarInternationalCo.,Ltd.:rnMS-16GF:rvrREV0.B:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:
  dmi.product.name: GE60 2PG
  dmi.product.version: REV:1.0
  dmi.sys.vendor: Micro-Star International Co., Ltd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1559725/+subscriptions