kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #169101
[Bug 1559725] Re: Security bug of overlayfs in linux image kernel
I'm setting this bug to public since there is no security concern.
Thanks!
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1559725
Title:
Security bug of overlayfs in linux image kernel
Status in linux package in Ubuntu:
Invalid
Bug description:
sudo bash
mkdir -p lower/a upper work merge
touch lower/a/{1,2,3,4}
mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work
merge/ # In "merge/a", there should be "1,2,3,4"
rm -rf merge/a # Delete all files in "merge/a" as well as
folder itself
mkdir merge/a # In "merge/a", there should be no files
touch merge/a/5 # In "merge/a", there should be only one file "5"
umount -l merge/
tar czvf layer.tgz upper/ # Store this layer
rm -rf upper/ # remove folder, assume we want to reconstruct
merge folder by this layer on another machine
tar xzvf layer.tgz # Restore layer data
mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work
merge/ # Oops, why "1,2,3,4" exist in "merge/a" ?
-------------------------------------------------------
Wrong exposure of "1,2,3,4" might cause:
1) applications to crash (such as reading
"/etc/apt/sources.d/{1,2,..}")
2) "1,2,3,4" might be dangerous virus which are supposed to be cleaned
but exposure
-------------------------------------------------------
Aufs doesn't have this bug.
If we change "mount -t overlay overlay
-olowerdir=lower,upperdir=upper,workdir=work merge/" above into ->
"mount -t aufs -o br=upper=rw:lower=ro+wh none merge/",
and all of other commands don't change, then the final result in
"merge/a/" are what we supposed to be.
-------------------------------------------------------
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-image-generic 4.4.0.13.14
ProcVersionSignature: Ubuntu 4.4.0-13.29-generic 4.4.5
Uname: Linux 4.4.0-13-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
AlsaVersion: Advanced Linux Sound Architecture Driver Version k4.4.0-13-generic.
ApportVersion: 2.20-0ubuntu3
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: ghostplant 2995 F.... pulseaudio
/dev/snd/controlC1: ghostplant 2995 F.... pulseaudio
CurrentDesktop: GNOME-Flashback:Unity
Date: Sun Mar 20 22:56:55 2016
JournalErrors:
Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system.
Users in the 'systemd-journal' group can see all messages. Pass -q to
turn off this notice.
No journal files were opened due to insufficient permissions.
MachineType: Micro-Star International Co., Ltd. GE60 2PG
PciMultimedia:
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-13-generic root=UUID=f584608e-f90a-445b-b845-cf3eb246a0d1 ro quiet swapaccount=1
RelatedPackageVersions:
linux-restricted-modules-4.4.0-13-generic N/A
linux-backports-modules-4.4.0-13-generic N/A
linux-firmware 1.156
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
WifiSyslog:
dmi.bios.date: 12/01/2014
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: E16GFIMS.626
dmi.board.asset.tag: To be filled by O.E.M.
dmi.board.name: MS-16GF
dmi.board.vendor: Micro-Star International Co., Ltd.
dmi.board.version: REV:0.B
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 3
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrE16GFIMS.626:bd12/01/2014:svnMicro-StarInternationalCo.,Ltd.:pnGE602PG:pvrREV1.0:rvnMicro-StarInternationalCo.,Ltd.:rnMS-16GF:rvrREV0.B:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:
dmi.product.name: GE60 2PG
dmi.product.version: REV:1.0
dmi.sys.vendor: Micro-Star International Co., Ltd.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1559725/+subscriptions