** Description changed:
[Description]
- TBD
+ Commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes)
(upstream id) breaks r/w access in overlayfs in 4.4 ubuntu kernels, later
ubuntu kernels are not affected.
+
+ There are two options to fix this either (a) backport ce31513a9114(ovl:
copyattr after setting POSIX ACL) to 4.4 or (b) revert offending commit
c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes).
+ Option (a) has high risk of regression since ce31513a9114(ovl: copyattr after
setting POSIX ACL) has many dependencies on other commits that need to be
backported too.
+
+ We'll proceed with reverting c0ca3d70e8d3(ovl: modify ovl_permission() to do
checks on two inodes).
+ This commit is associated with CVE-2018-16597, however 4.4 kernels (both
ubuntu and upstream) are NOT affected by this cve so it's safe to revert it.
+ The offending commit was introduced upstream in v4.8-rc1. At this point had
nothing to do with any CVE.
+ It was related with CVE-2018-16597 as it was the fix for bug [1].
+ Then it was backported to stable 4.4 and this way it ended up in Ubuntu 4.4
kernels.
[Test Case]
- TBD
+ ----> Offending commit breaks r/w access in overlayfs
- [Regression Potential]
- TBD
+ Reproducer available in [2].
+
+ To run the reproducer :
+ $./make-overlay.sh
+ $./test.sh
+
+ # With the offending commit in place :
+
+ $ ./test.sh
+ st_mode is 100644
+ open failed: -1
+ cat: /tmp/overlay/animal: Permission denied <---- Breaks access
+ -rw-r--r-- 1 jo jo 0 Oct 11 09:57 /tmp/overlay/animal
+
+ # With the offending commit reverted :
+
+ $ ./test.sh
+ st_mode is 100644
+ -rw-r--r-- 1 jo jo 0 Oct 11 16:01 /tmp/overlay/animal
+
[Other]
- TBD
+
+ ----> Test whether 4.4 kernels are affected by CVE-2018-16597
+
+ Since offending commit c0ca3d70e8d3(ovl: modify ovl_permission() to do
+ checks on two inodes) is related with CVE-2018-16597 a test script is
+ provided to confirm that 4.4 kernel are not affected by this cve and
+ therefore is safe to revert the commit.
+
+ Kernels tested :
+
+ 4.4 ESM kernels :
+ - 4.4.0-1057-aws (offending reverted) PASS
+ - 4.4.0-167-generic (offending reverted) PASS
+
+ 4.4 AWS Kenrels (not esm) :
+ - 4.4.0-1097-aws as is PASS
+ - 4.4.0-1097-aws offending reverted PASS
+
+ 4.4 Generic kernels (not esm) :
+ - 4.4.0-165-generic as is PASS
+ - 4.4.0-165-generic (offending reverted) PASS
+
+ Upstream kernels :
+ - latest upstream PASS
+ - upstream at offending PASS
+ - upstream before offending PASS
+ - 4.4 stable before offending PASS
+
+
+ ### DETAILS
+
+ A simple script is attached (test_overlay_permission.sh) to test whether
ubuntu 4.4 kernels are affected by CVE-2018-16597.
+ They are not. Neither is the stable 4.4.y upstream kernel.
+
+ The script tests for the reproducer found in [1] and a modified version
+ of it that doesn't breaks the following (quoting from [3] ):
+ "Changes to the underlying filesystems while part of a mounted overlay
+ filesystem are not allowed. If the underlying filesystem is changed,
+ the behavior of the overlay is undefined, though it will not result in
+ a crash or deadlock."
+
+ These two test cases should fail. So, expect to see
+ "cp: cannot create regular file <the file we're writing>: Permission denied".
+
+ Then there are a few other test cases (files placed in lower/upper dirs and
owned
+ by root/user).
+ The script checks the contents of the files at the end and reports anything
wrong by printing :
+ Problem with file <file>
+ and then cat-ing the file and listing the permissions.
+
+ An example (correct) output is the following :
+
+ ----------------------------------------------------------------------
+
+ $ ./test_overlay_permission.sh
+ Testing reproducer
+ This should fail
+ cp: cannot create regular file '/home/jo/test_cve/overlay/bash': Permission
denied
+ Testing reproducer modified
+ This should fail
+ cp: cannot create regular file '/home/jo/test_cve/overlay/bash': Permission
denied
+
+ Testing other cases
+ ./test_overlay_permission.sh: line 100:
/home/jo/test_cve/overlay/after_mount_root: Permission denied
+ ./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/both_root:
Permission denied
+ ./test_overlay_permission.sh: line 100:
/home/jo/test_cve/overlay/lower_only_root: Permission denied
+ ./test_overlay_permission.sh: line 100:
/home/jo/test_cve/overlay/upper_only_root: Permission denied
+ ##########################################################
+ CHECK LOWER
+ ##########################################################
+ CHECK UPPER
+ ##########################################################
+ CHECK OVERLAY
+
+ ----------------------------------------------------------------------
+
+ We see that when "Testing reproducer" it fails so we are OK.
+ In addition, when "Testing other cases" we get 4 "Permission denied", which is
+ also the desired behaviour as a user is trying to write root-owned files.
+ In case, there's output after CHECK LOWER/UPPER/OERLAY something has gone
wrong and needs
+ investigation. In the case above, nothing is printed so we're good.
+
+
+ [1] https://bugzilla.suse.com/show_bug.cgi?id=1106512#c0
+ [2] https://gist.github.com/thomas-holmes/711bcdb28e2b8e6d1c39c1d99d292af7
+ [3] linux/Documentation/overlayfs.txt
** Changed in: linux (Ubuntu)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Xenial)
Status: Confirmed => In Progress
** Attachment added: "test_overlay_permission.sh"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851243/+attachment/5318577/+files/test_overlay_permission.sh
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1851243
Title:
overlayfs : broken access to r/w files
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
In Progress
Bug description:
[Description]
Commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes)
(upstream id) breaks r/w access in overlayfs in 4.4 ubuntu kernels, later
ubuntu kernels are not affected.
There are two options to fix this either (a) backport ce31513a9114(ovl:
copyattr after setting POSIX ACL) to 4.4 or (b) revert offending commit
c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes).
Option (a) has high risk of regression since ce31513a9114(ovl: copyattr after
setting POSIX ACL) has many dependencies on other commits that need to be
backported too.
We'll proceed with reverting c0ca3d70e8d3(ovl: modify ovl_permission() to do
checks on two inodes).
This commit is associated with CVE-2018-16597, however 4.4 kernels (both
ubuntu and upstream) are NOT affected by this cve so it's safe to revert it.
The offending commit was introduced upstream in v4.8-rc1. At this point had
nothing to do with any CVE.
It was related with CVE-2018-16597 as it was the fix for bug [1].
Then it was backported to stable 4.4 and this way it ended up in Ubuntu 4.4
kernels.
[Test Case]
----> Offending commit breaks r/w access in overlayfs
Reproducer available in [2].
To run the reproducer :
$./make-overlay.sh
$./test.sh
# With the offending commit in place :
$ ./test.sh
st_mode is 100644
open failed: -1
cat: /tmp/overlay/animal: Permission denied <---- Breaks access
-rw-r--r-- 1 jo jo 0 Oct 11 09:57 /tmp/overlay/animal
# With the offending commit reverted :
$ ./test.sh
st_mode is 100644
-rw-r--r-- 1 jo jo 0 Oct 11 16:01 /tmp/overlay/animal
[Other]
----> Test whether 4.4 kernels are affected by CVE-2018-16597
Since offending commit c0ca3d70e8d3(ovl: modify ovl_permission() to do
checks on two inodes) is related with CVE-2018-16597 a test script is
provided to confirm that 4.4 kernel are not affected by this cve and
therefore is safe to revert the commit.
Kernels tested :
4.4 ESM kernels :
- 4.4.0-1057-aws (offending reverted) PASS
- 4.4.0-167-generic (offending reverted) PASS
4.4 AWS Kenrels (not esm) :
- 4.4.0-1097-aws as is PASS
- 4.4.0-1097-aws offending reverted PASS
4.4 Generic kernels (not esm) :
- 4.4.0-165-generic as is PASS
- 4.4.0-165-generic (offending reverted) PASS
Upstream kernels :
- latest upstream PASS
- upstream at offending PASS
- upstream before offending PASS
- 4.4 stable before offending PASS
### DETAILS
A simple script is attached (test_overlay_permission.sh) to test whether
ubuntu 4.4 kernels are affected by CVE-2018-16597.
They are not. Neither is the stable 4.4.y upstream kernel.
The script tests for the reproducer found in [1] and a modified version
of it that doesn't breaks the following (quoting from [3] ):
"Changes to the underlying filesystems while part of a mounted overlay
filesystem are not allowed. If the underlying filesystem is changed,
the behavior of the overlay is undefined, though it will not result in
a crash or deadlock."
These two test cases should fail. So, expect to see
"cp: cannot create regular file <the file we're writing>: Permission denied".
Then there are a few other test cases (files placed in lower/upper dirs and
owned
by root/user).
The script checks the contents of the files at the end and reports anything
wrong by printing :
Problem with file <file>
and then cat-ing the file and listing the permissions.
An example (correct) output is the following :
----------------------------------------------------------------------
$ ./test_overlay_permission.sh
Testing reproducer
This should fail
cp: cannot create regular file '/home/jo/test_cve/overlay/bash': Permission
denied
Testing reproducer modified
This should fail
cp: cannot create regular file '/home/jo/test_cve/overlay/bash': Permission
denied
Testing other cases
./test_overlay_permission.sh: line 100:
/home/jo/test_cve/overlay/after_mount_root: Permission denied
./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/both_root:
Permission denied
./test_overlay_permission.sh: line 100:
/home/jo/test_cve/overlay/lower_only_root: Permission denied
./test_overlay_permission.sh: line 100:
/home/jo/test_cve/overlay/upper_only_root: Permission denied
##########################################################
CHECK LOWER
##########################################################
CHECK UPPER
##########################################################
CHECK OVERLAY
----------------------------------------------------------------------
We see that when "Testing reproducer" it fails so we are OK.
In addition, when "Testing other cases" we get 4 "Permission denied", which is
also the desired behaviour as a user is trying to write root-owned files.
In case, there's output after CHECK LOWER/UPPER/OERLAY something has gone
wrong and needs
investigation. In the case above, nothing is printed so we're good.
[1] https://bugzilla.suse.com/show_bug.cgi?id=1106512#c0
[2] https://gist.github.com/thomas-holmes/711bcdb28e2b8e6d1c39c1d99d292af7
[3] linux/Documentation/overlayfs.txt
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851243/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
