** Description changed: [Description] - TBD + Commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes) (upstream id) breaks r/w access in overlayfs in 4.4 ubuntu kernels, later ubuntu kernels are not affected. + + There are two options to fix this either (a) backport ce31513a9114(ovl: copyattr after setting POSIX ACL) to 4.4 or (b) revert offending commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes). + Option (a) has high risk of regression since ce31513a9114(ovl: copyattr after setting POSIX ACL) has many dependencies on other commits that need to be backported too. + + We'll proceed with reverting c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes). + This commit is associated with CVE-2018-16597, however 4.4 kernels (both ubuntu and upstream) are NOT affected by this cve so it's safe to revert it. + The offending commit was introduced upstream in v4.8-rc1. At this point had nothing to do with any CVE. + It was related with CVE-2018-16597 as it was the fix for bug [1]. + Then it was backported to stable 4.4 and this way it ended up in Ubuntu 4.4 kernels. [Test Case] - TBD + ----> Offending commit breaks r/w access in overlayfs - [Regression Potential] - TBD + Reproducer available in [2]. + + To run the reproducer : + $./make-overlay.sh + $./test.sh + + # With the offending commit in place : + + $ ./test.sh + st_mode is 100644 + open failed: -1 + cat: /tmp/overlay/animal: Permission denied <---- Breaks access + -rw-r--r-- 1 jo jo 0 Oct 11 09:57 /tmp/overlay/animal + + # With the offending commit reverted : + + $ ./test.sh + st_mode is 100644 + -rw-r--r-- 1 jo jo 0 Oct 11 16:01 /tmp/overlay/animal + [Other] - TBD + + ----> Test whether 4.4 kernels are affected by CVE-2018-16597 + + Since offending commit c0ca3d70e8d3(ovl: modify ovl_permission() to do + checks on two inodes) is related with CVE-2018-16597 a test script is + provided to confirm that 4.4 kernel are not affected by this cve and + therefore is safe to revert the commit. + + Kernels tested : + + 4.4 ESM kernels : + - 4.4.0-1057-aws (offending reverted) PASS + - 4.4.0-167-generic (offending reverted) PASS + + 4.4 AWS Kenrels (not esm) : + - 4.4.0-1097-aws as is PASS + - 4.4.0-1097-aws offending reverted PASS + + 4.4 Generic kernels (not esm) : + - 4.4.0-165-generic as is PASS + - 4.4.0-165-generic (offending reverted) PASS + + Upstream kernels : + - latest upstream PASS + - upstream at offending PASS + - upstream before offending PASS + - 4.4 stable before offending PASS + + + ### DETAILS + + A simple script is attached (test_overlay_permission.sh) to test whether ubuntu 4.4 kernels are affected by CVE-2018-16597. + They are not. Neither is the stable 4.4.y upstream kernel. + + The script tests for the reproducer found in [1] and a modified version + of it that doesn't breaks the following (quoting from [3] ): + "Changes to the underlying filesystems while part of a mounted overlay + filesystem are not allowed. If the underlying filesystem is changed, + the behavior of the overlay is undefined, though it will not result in + a crash or deadlock." + + These two test cases should fail. So, expect to see + "cp: cannot create regular file <the file we're writing>: Permission denied". + + Then there are a few other test cases (files placed in lower/upper dirs and owned + by root/user). + The script checks the contents of the files at the end and reports anything wrong by printing : + Problem with file <file> + and then cat-ing the file and listing the permissions. + + An example (correct) output is the following : + + ---------------------------------------------------------------------- + + $ ./test_overlay_permission.sh + Testing reproducer + This should fail + cp: cannot create regular file '/home/jo/test_cve/overlay/bash': Permission denied + Testing reproducer modified + This should fail + cp: cannot create regular file '/home/jo/test_cve/overlay/bash': Permission denied + + Testing other cases + ./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/after_mount_root: Permission denied + ./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/both_root: Permission denied + ./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/lower_only_root: Permission denied + ./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/upper_only_root: Permission denied + ########################################################## + CHECK LOWER + ########################################################## + CHECK UPPER + ########################################################## + CHECK OVERLAY + + ---------------------------------------------------------------------- + + We see that when "Testing reproducer" it fails so we are OK. + In addition, when "Testing other cases" we get 4 "Permission denied", which is + also the desired behaviour as a user is trying to write root-owned files. + In case, there's output after CHECK LOWER/UPPER/OERLAY something has gone wrong and needs + investigation. In the case above, nothing is printed so we're good. + + + [1] https://bugzilla.suse.com/show_bug.cgi?id=1106512#c0 + [2] https://gist.github.com/thomas-holmes/711bcdb28e2b8e6d1c39c1d99d292af7 + [3] linux/Documentation/overlayfs.txt
** Changed in: linux (Ubuntu) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Xenial) Status: Confirmed => In Progress ** Attachment added: "test_overlay_permission.sh" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851243/+attachment/5318577/+files/test_overlay_permission.sh -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1851243 Title: overlayfs : broken access to r/w files Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Bug description: [Description] Commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes) (upstream id) breaks r/w access in overlayfs in 4.4 ubuntu kernels, later ubuntu kernels are not affected. There are two options to fix this either (a) backport ce31513a9114(ovl: copyattr after setting POSIX ACL) to 4.4 or (b) revert offending commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes). Option (a) has high risk of regression since ce31513a9114(ovl: copyattr after setting POSIX ACL) has many dependencies on other commits that need to be backported too. We'll proceed with reverting c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes). This commit is associated with CVE-2018-16597, however 4.4 kernels (both ubuntu and upstream) are NOT affected by this cve so it's safe to revert it. The offending commit was introduced upstream in v4.8-rc1. At this point had nothing to do with any CVE. It was related with CVE-2018-16597 as it was the fix for bug [1]. Then it was backported to stable 4.4 and this way it ended up in Ubuntu 4.4 kernels. [Test Case] ----> Offending commit breaks r/w access in overlayfs Reproducer available in [2]. To run the reproducer : $./make-overlay.sh $./test.sh # With the offending commit in place : $ ./test.sh st_mode is 100644 open failed: -1 cat: /tmp/overlay/animal: Permission denied <---- Breaks access -rw-r--r-- 1 jo jo 0 Oct 11 09:57 /tmp/overlay/animal # With the offending commit reverted : $ ./test.sh st_mode is 100644 -rw-r--r-- 1 jo jo 0 Oct 11 16:01 /tmp/overlay/animal [Other] ----> Test whether 4.4 kernels are affected by CVE-2018-16597 Since offending commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes) is related with CVE-2018-16597 a test script is provided to confirm that 4.4 kernel are not affected by this cve and therefore is safe to revert the commit. Kernels tested : 4.4 ESM kernels : - 4.4.0-1057-aws (offending reverted) PASS - 4.4.0-167-generic (offending reverted) PASS 4.4 AWS Kenrels (not esm) : - 4.4.0-1097-aws as is PASS - 4.4.0-1097-aws offending reverted PASS 4.4 Generic kernels (not esm) : - 4.4.0-165-generic as is PASS - 4.4.0-165-generic (offending reverted) PASS Upstream kernels : - latest upstream PASS - upstream at offending PASS - upstream before offending PASS - 4.4 stable before offending PASS ### DETAILS A simple script is attached (test_overlay_permission.sh) to test whether ubuntu 4.4 kernels are affected by CVE-2018-16597. They are not. Neither is the stable 4.4.y upstream kernel. The script tests for the reproducer found in [1] and a modified version of it that doesn't breaks the following (quoting from [3] ): "Changes to the underlying filesystems while part of a mounted overlay filesystem are not allowed. If the underlying filesystem is changed, the behavior of the overlay is undefined, though it will not result in a crash or deadlock." These two test cases should fail. So, expect to see "cp: cannot create regular file <the file we're writing>: Permission denied". Then there are a few other test cases (files placed in lower/upper dirs and owned by root/user). The script checks the contents of the files at the end and reports anything wrong by printing : Problem with file <file> and then cat-ing the file and listing the permissions. An example (correct) output is the following : ---------------------------------------------------------------------- $ ./test_overlay_permission.sh Testing reproducer This should fail cp: cannot create regular file '/home/jo/test_cve/overlay/bash': Permission denied Testing reproducer modified This should fail cp: cannot create regular file '/home/jo/test_cve/overlay/bash': Permission denied Testing other cases ./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/after_mount_root: Permission denied ./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/both_root: Permission denied ./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/lower_only_root: Permission denied ./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/upper_only_root: Permission denied ########################################################## CHECK LOWER ########################################################## CHECK UPPER ########################################################## CHECK OVERLAY ---------------------------------------------------------------------- We see that when "Testing reproducer" it fails so we are OK. In addition, when "Testing other cases" we get 4 "Permission denied", which is also the desired behaviour as a user is trying to write root-owned files. In case, there's output after CHECK LOWER/UPPER/OERLAY something has gone wrong and needs investigation. In the case above, nothing is printed so we're good. [1] https://bugzilla.suse.com/show_bug.cgi?id=1106512#c0 [2] https://gist.github.com/thomas-holmes/711bcdb28e2b8e6d1c39c1d99d292af7 [3] linux/Documentation/overlayfs.txt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851243/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp