touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #114137
[Bug 1509752] Re: Bug in ensure_not_symlink() from 0003-CVE-2015-1335.patch
** Description changed:
- This bug/limitation is present in lxc from 1.0.7-0ubuntu0.5 through
- 1.0.7-0ubuntu0.9 (or anything that incorporates
- 0003-CVE-2015-1335.patch). Basically, the limitation is obvious when
- using recursive bind mounts because ensure_not_symlink() only checks the
- last line of /proc/self/mountinfo which will be a submount so will
- always fail the test and trigger:
+ =======================================================================
+ SRU Justification
+ Impact: cannot start containers with lxc.mount.entries which are recursive bind mounts
+ Regression potential: this makes assumptions about the ordering of /proc/self/mountinfo, but no more so than the original CVE patch. So it should not regress from the previous lxc version.
+ Test case:
+
+ #!/bin/sh
+ set -ex
+ cleanup() {
+ umount /mnt/etc /mnt/proc || true
+ lxc-stop -n t1 -k || true
+ lxc-destroy -n t1 || true
+ }
+ trap cleanup EXIT
+ mkdir -p /mnt/etc /mnt/proc
+ mount --bind /etc /mnt/etc
+ mount --bind /proc /mnt/proc
+ lxc-create -t download -n t1 -- -d ubuntu -r trusty -a amd64
+ cat >> /var/lib/lxc/t1/config << EOF
+ lxc.mount.entry = /mnt hostmnt none rbind,create=dir
+ EOF
+ lxc-start -n t1 -F -l trace -o /dev/stdout
+ echo "DONE"
+
+ =======================================================================
+ This bug/limitation is present in lxc from 1.0.7-0ubuntu0.5 through 1.0.7-0ubuntu0.9 (or anything that incorporates 0003-CVE-2015-1335.patch). Basically, the limitation is obvious when using recursive bind mounts because ensure_not_symlink() only checks the last line of /proc/self/mountinfo which will be a submount so will always fail the test and trigger:
ensure_not_symlink: 1413 Mount onto /usr/lib/x86_64-linux-
gnu/lxc/storage resulted in /usr/lib/x86_64-linux-
gnu/lxc/storage/submount, not /usr/lib/x86_64-linux-gnu/lxc/storage
Sorry if this is a duplicate, I did spend quite some time trying to find
a similar report.
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1509752
Title:
Bug in ensure_not_symlink() from 0003-CVE-2015-1335.patch
Status in lxc package in Ubuntu:
Fix Released
Status in lxc source package in Trusty:
New
Bug description:
=======================================================================
SRU Justification
Impact: cannot start containers with lxc.mount.entries which are recursive bind mounts
Regression potential: this makes assumptions about the ordering of /proc/self/mountinfo, but no more so than the original CVE patch. So it should not regress from the previous lxc version.
Test case:
#!/bin/sh
set -ex
cleanup() {
umount /mnt/etc /mnt/proc || true
lxc-stop -n t1 -k || true
lxc-destroy -n t1 || true
}
trap cleanup EXIT
mkdir -p /mnt/etc /mnt/proc
mount --bind /etc /mnt/etc
mount --bind /proc /mnt/proc
lxc-create -t download -n t1 -- -d ubuntu -r trusty -a amd64
cat >> /var/lib/lxc/t1/config << EOF
lxc.mount.entry = /mnt hostmnt none rbind,create=dir
EOF
lxc-start -n t1 -F -l trace -o /dev/stdout
echo "DONE"
=======================================================================
This bug/limitation is present in lxc from 1.0.7-0ubuntu0.5 through 1.0.7-0ubuntu0.9 (or anything that incorporates 0003-CVE-2015-1335.patch). Basically, the limitation is obvious when using recursive bind mounts because ensure_not_symlink() only checks the last line of /proc/self/mountinfo which will be a submount so will always fail the test and trigger:
ensure_not_symlink: 1413 Mount onto /usr/lib/x86_64-linux-
gnu/lxc/storage resulted in /usr/lib/x86_64-linux-
gnu/lxc/storage/submount, not /usr/lib/x86_64-linux-gnu/lxc/storage
Sorry if this is a duplicate, I did spend quite some time trying to
find a similar report.
Thanks!
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1509752/+subscriptions
References
