Bugzilla – Bug 926238
VUL-0: CVE-2015-2925: kernel-source: vfs: Do not allow escaping from bind mounts
Last modified: 2016-09-08 10:20:26 UTC
Via oss-sec http://permalink.gmane.org/gmane.linux.kernel.containers/29173 http://permalink.gmane.org/gmane.linux.kernel.containers/29177 Containers on Linux normally use bind mounts to restrict how much of the filesystem is visible for processes inside the container. However, if an attacker can gain capabilities within such a container or can create another user and mount namespace within the existing container, he can do something similar to a double-chroot attack to break out of the bind mount and gain access to the full filesystem to which the bind mount refers: Create folders /A, /A/B, /C, /D inside the namespace. Bind-mount the /A inside the namespace to /D. Let a process chdir to /D/B. Move /D/B over into /C. The process which chdir'ed to /D/B is now in /C/B, but at the same time it is in a bind mount with /D as root. It can then traverse upwards, past what looks like / inside the namespace. Our understanding so far is that the underlying problem is that the original design didn't fully consider the ability of an attacker to rename. Because of this, the rename implementation has been changed so that it detects a violation of the intended security properties and puts a countermeasure in place. This has been done in the fs/dcache.c __d_move function. There is no commit available yet at http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/fs/dcache.c Use CVE-2015-2925 for this issue. As far as we can tell, the patches don't address a separate scenario in which a ".." attack can occur but the underlying problem is something other than rename handling. So, we don't think a second CVE ID is needed. (For purposes of CVE, a set of "possible to escape from bind mounts" discoveries could have multiple IDs if the root cause of one issue were the acceptability of the ".." syntax in a certain context, and the root cause of another issue were unrelated to this.) References: http://permalink.gmane.org/gmane.linux.kernel.containers/29177 https://bugzilla.redhat.com/show_bug.cgi?id=1209367 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2925 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2925.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2925 A patch is proposed: http://permalink.gmane.org/gmane.linux.kernel.containers/29177
openSUSE 13.2: zgrep CONFIG_NAMESPACE /proc/config.gz CONFIG_NAMESPACES=y SLE 11: zgrep CONFIG_NAMESPACE /proc/config.gz CONFIG_NAMESPACES=y both affected.
bugbot adjusting priority
Hmm... a bit of a mess. When will people learn that a subtree is *not* like a mini-filesystem :-( Problem was, a Jack says, introduced by Commit: 0c55cfc4166d ("vfs: Allow unprivileged manipulation of the mount namespace.") Before that commit you had to be real-root, not just root in a namespace, to mount anything. So we could just revert that patch (or the relevant part of it). But I guess it is possible that customers are using that functionality already. I'll try to find all the relevant discussions and see if I can understand that current state of the problem.
A new patchset was posted very recently: http://thread.gmane.org/gmane.linux.kernel.containers/28939/focus=94680 It looks fairly good, though there are aspects that I don't think are wonderful. I'd like to wait a while and see what sort of response it gets.
This was finally fixed upstream by Commit: 397d425dc26d ("vfs: Test for and handle paths that are unreachable from their mnt_root") that patch (in a very different form) got into 3.12.49 as Commit: 2ca1ae468673 ("vfs: Test for and handle paths that are unreachable from their mnt_root") and so is already in SLE-12. I've applied that 3.12.49 patch to the 3.16 kernel for opensuse-13.2 and have submitted that. So: only applies to 3.8 or later. Now fixed in SLE-12, SLE-12-SP1, openSUSE-13.2. Do we need an update for 13.1 (Linux 3.11)??
if possible also for 13.1, but if its too much work leave it out.
Not too much.. just one step up from "trivial". submitted to users/nfbrown/openSUSE-13.1/for-next
openSUSE-SU-2015:1842-1: An update that solves 7 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 919154,926238,937969,938645,939834,940338,941104,941305,941867,942178,944296,947155,951195,951440 CVE References: CVE-2015-0272,CVE-2015-1333,CVE-2015-2925,CVE-2015-3290,CVE-2015-5283,CVE-2015-5707,CVE-2015-7872 Sources used: openSUSE 13.2 (src): bbswitch-0.8-3.13.2, cloop-2.639-14.13.2, crash-7.0.8-13.2, hdjmod-1.28-18.14.2, ipset-6.23-13.2, kernel-debug-3.16.7-29.1, kernel-default-3.16.7-29.1, kernel-desktop-3.16.7-29.1, kernel-docs-3.16.7-29.3, kernel-ec2-3.16.7-29.1, kernel-obs-build-3.16.7-29.2, kernel-obs-qa-3.16.7-29.1, kernel-obs-qa-xen-3.16.7-29.1, kernel-pae-3.16.7-29.1, kernel-source-3.16.7-29.1, kernel-syms-3.16.7-29.1, kernel-vanilla-3.16.7-29.1, kernel-xen-3.16.7-29.1, pcfclock-0.44-260.13.2, vhba-kmp-20140629-2.13.2, xen-4.4.2_06-27.2, xtables-addons-2.6-13.2
SUSE-SU-2015:2292-1: An update that solves 7 vulnerabilities and has 54 fixes is now available. Category: security (important) Bug References: 758040,814440,904348,921949,924493,926238,933514,936773,939826,939926,940776,941113,941202,943959,944296,947241,947478,949100,949192,949706,949744,949936,950013,950580,950750,950998,951110,951165,951440,951638,951864,952384,952666,953717,953826,953830,953971,953980,954635,954986,955136,955148,955224,955354,955422,955533,955644,956047,956053,956147,956284,956703,956711,956717,956801,956876,957395,957546,958504,958510,958647 CVE References: CVE-2015-0272,CVE-2015-2925,CVE-2015-5156,CVE-2015-7799,CVE-2015-7872,CVE-2015-7990,CVE-2015-8215 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): kernel-default-3.12.51-60.20.2 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): kernel-docs-3.12.51-60.20.2, kernel-obs-build-3.12.51-60.20.1 SUSE Linux Enterprise Server 12-SP1 (src): kernel-default-3.12.51-60.20.2, kernel-source-3.12.51-60.20.2, kernel-syms-3.12.51-60.20.2, kernel-xen-3.12.51-60.20.2 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.51-60.20.2 SUSE Linux Enterprise Live Patching 12 (src): kgraft-patch-SLE12-SP1_Update_1-1-4.1 SUSE Linux Enterprise Desktop 12-SP1 (src): kernel-default-3.12.51-60.20.2, kernel-source-3.12.51-60.20.2, kernel-syms-3.12.51-60.20.2, kernel-xen-3.12.51-60.20.2
I think we are done with this now, so closing.
openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available. Category: security (important) Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075 CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728 Sources used: openSUSE 13.1 (src): cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1
released