Ubuntu
linux package

overlayfs : broken access to r/w files

Bug #1851243 reported by Ioanna Alifieraki on 2019-11-04

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	In Progress	Undecided	Unassigned
	Xenial	Fix Released	Medium	Ioanna Alifieraki

Bug Description

[Description]
Commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes) (upstream id) breaks r/w access in overlayfs in 4.4 ubuntu kernels, later ubuntu kernels are not affected.

There are two options to fix this either (a) backport ce31513a9114(ovl: copyattr after setting POSIX ACL) to 4.4 or (b) revert offending commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes).
Option (a) has high risk of regression since ce31513a9114(ovl: copyattr after setting POSIX ACL) has many dependencies on other commits that need to be backported too.

We'll proceed with reverting c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes).
This commit is associated with CVE-2018-16597, however 4.4 kernels (both ubuntu and upstream) are NOT affected by this cve so it's safe to revert it.
The offending commit was introduced upstream in v4.8-rc1. At this point had nothing to do with any CVE.
It was related with CVE-2018-16597 as it was the fix for bug [1].
Then it was backported to stable 4.4 and this way it ended up in Ubuntu 4.4 kernels.

[Test Case]
----> Offending commit breaks r/w access in overlayfs

Reproducer available in [2].

To run the reproducer :
$./make-overlay.sh
$./test.sh

# With the offending commit in place :

$ ./test.sh
st_mode is 100644
open failed: -1
cat: /tmp/overlay/animal: Permission denied <---- Breaks access
-rw-r--r-- 1 jo jo 0 Oct 11 09:57 /tmp/overlay/animal

# With the offending commit reverted :

$ ./test.sh
st_mode is 100644
-rw-r--r-- 1 jo jo 0 Oct 11 16:01 /tmp/overlay/animal

[Other]

----> Test whether 4.4 kernels are affected by CVE-2018-16597

Since offending commit c0ca3d70e8d3(ovl: modify ovl_permission() to do checks on two inodes) is related with CVE-2018-16597 a test script is provided to confirm that 4.4 kernel are not affected by this cve and therefore is safe to revert the commit.

Kernels tested :

4.4 ESM kernels :
- 4.4.0-1057-aws (offending reverted) PASS
- 4.4.0-167-generic (offending reverted) PASS

4.4 AWS Kenrels (not esm) :
- 4.4.0-1097-aws as is PASS
- 4.4.0-1097-aws offending reverted PASS

4.4 Generic kernels (not esm) :
- 4.4.0-165-generic as is PASS
- 4.4.0-165-generic (offending reverted) PASS

Upstream kernels :
- latest upstream PASS
- upstream at offending PASS
- upstream before offending PASS
- 4.4 stable before offending PASS

### DETAILS

A simple script is attached (test_overlay_permission.sh) to test whether ubuntu 4.4 kernels are affected by CVE-2018-16597.
They are not. Neither is the stable 4.4.y upstream kernel.

The script tests for the reproducer found in [1] and a modified version
of it that doesn't breaks the following (quoting from [3] ):
"Changes to the underlying filesystems while part of a mounted overlay
filesystem are not allowed. If the underlying filesystem is changed,
the behavior of the overlay is undefined, though it will not result in
a crash or deadlock."

These two test cases should fail. So, expect to see
"cp: cannot create regular file <the file we're writing>: Permission denied".

Then there are a few other test cases (files placed in lower/upper dirs and owned
by root/user).
The script checks the contents of the files at the end and reports anything wrong by printing :
Problem with file <file>
and then cat-ing the file and listing the permissions.

An example (correct) output is the following :

----------------------------------------------------------------------

$ ./test_overlay_permission.sh
Testing reproducer
This should fail
cp: cannot create regular file '/home/jo/test_cve/overlay/bash': Permission denied
Testing reproducer modified
This should fail
cp: cannot create regular file '/home/jo/test_cve/overlay/bash': Permission denied

Testing other cases
./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/after_mount_root: Permission denied
./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/both_root: Permission denied
./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/lower_only_root: Permission denied
./test_overlay_permission.sh: line 100: /home/jo/test_cve/overlay/upper_only_root: Permission denied
##########################################################
CHECK LOWER
##########################################################
CHECK UPPER
##########################################################
CHECK OVERLAY

----------------------------------------------------------------------

We see that when "Testing reproducer" it fails so we are OK.
In addition, when "Testing other cases" we get 4 "Permission denied", which is
also the desired behaviour as a user is trying to write root-owned files.
In case, there's output after CHECK LOWER/UPPER/OERLAY something has gone wrong and needs
investigation. In the case above, nothing is printed so we're good.

[1] https://bugzilla.suse.com/show_bug.cgi?id=1106512#c0
[2] https://gist.github.com/thomas-holmes/711bcdb28e2b8e6d1c39c1d99d292af7
[3] linux/Documentation/overlayfs.txt

See original description

Tags:

CVE References

2019-20096

Ioanna Alifieraki (joalif) on 2019-11-04

Changed in linux (Ubuntu Xenial):
status:	New → Confirmed
importance:	Undecided → High
importance:	High → Medium
assignee:	nobody → Ioanna Alifieraki (joalif)

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2019-11-04: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1851243

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete

Revision history for this message

Ioanna Alifieraki (joalif) wrote on 2020-01-08:

test_overlay_permission.sh Edit (4.3 KiB, text/x-sh)

description:	updated
Changed in linux (Ubuntu):
status:	Incomplete → In Progress
Changed in linux (Ubuntu Xenial):
status:	Confirmed → In Progress

Khaled El Mously (kmously) on 2020-01-29

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2020-01-30:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Ioanna Alifieraki (joalif) wrote on 2020-01-31:

VERIFY BUG ON XENIAL

#Test with latest kernel in -updates

$ uname -a
Linux xenial-kernel 4.4.0-173-generic #203-Ubuntu SMP Wed Jan 15 02:55:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

$./make-overlay.sh
$ ./test.sh
st_mode is 100644
open failed: -1
cat: /tmp/overlay/animal: Permission denied
-rw-r--r-- 1 jo jo 0 Jan 31 16:54 /tmp/overlay/animal

Issue is reproducible.

#Test with kernel in -proposed

$ uname -a
Linux xenial-kernel 4.4.0-174-generic #204-Ubuntu SMP Wed Jan 29 06:41:01 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

$./make-overlay.sh
$ ./test.sh
st_mode is 100644
-rw-r--r-- 1 jo jo 0 Jan 31 16:59 /tmp/overlay/animal

Issue has been resolved.

tags:

added: verification-done-xenial
removed: verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-02-17:

Download full text (10.7 KiB)

This bug was fixed in the package linux - 4.4.0-174.204

---------------
linux (4.4.0-174.204) xenial; urgency=medium

* xenial/linux: 4.4.0-174.204 -proposed tracker (LP: #1861122)

This bug was fixed in the package linux - 4.4.0-174.204

---------------
linux (4.4.0-174.204) xenial; urgency=medium

* xenial/linux: 4.4.0-174.204 -proposed tracker (LP: #1861122)

* Xenial update: 4.4.211 upstream stable release (LP: #1860681)
    - hidraw: Return EPOLLOUT from hidraw_poll
    - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll
    - HID: hidraw, uhid: Always report EPOLLOUT
    - cfg80211/mac80211: make ieee80211_send_layer2_update a public function
    - mac80211: Do not send Layer 2 Update frame before authorization
    - media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap
    - p54usb: Fix race between disconnect and firmware loading
    - ALSA: line6: Fix write on zero-sized buffer
    - ALSA: line6: Fix memory leak at line6_init_pcm() error path
    - xen: let alloc_xenballooned_pages() fail if not enough memory free
    - wimax: i2400: fix memory leak
    - wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle
    - ext4: fix use-after-free race with debug_want_extra_isize
    - ext4: add more paranoia checking in ext4_expand_extra_isize handling
    - rtc: mt6397: fix alarm register overwrite
    - iommu: Remove device link to group on failure
    - gpio: Fix error message on out-of-range GPIO in lookup table
    - hsr: reset network header when supervision frame is created
    - cifs: Adjust indentation in smb2_open_file
    - RDMA/srpt: Report the SCSI residual to the initiator
    - scsi: enclosure: Fix stale device oops with hot replug
    - scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI
    - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0
    - iio: imu: adis16480: assign bias value only if operation succeeded
    - mei: fix modalias documentation
    - clk: samsung: exynos5420: Preserve CPU clocks configuration during
      suspend/resume
    - compat_ioctl: handle SIOCOUTQNSD
    - tty: serial: imx: use the sg count from dma_map_sg
    - tty: serial: pch_uart: correct usage of dma_unmap_sg
    - media: exynos4-is: Fix recursive locking in isp_video_release()
    - spi: atmel: fix handling of cs_change set on non-last xfer
    - rtlwifi: Remove unnecessary NULL check in rtl_regd_init
    - rtc: msm6242: Fix reading of 10-hour digit
    - rseq/selftests: Turn off timeout setting
    - hexagon: work around compiler crash
    - ocfs2: call journal flush to mark journal as empty after journal recovery
      when mount
    - ALSA: seq: Fix racy access for queue timer in proc read
    - Fix built-in early-load Intel microcode alignment
    - block: fix an integer overflow in logical block size
    - USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
    - USB: serial: opticon: fix control-message timeouts
    - USB: serial: suppress driver bind attributes
    - USB: serial: ch341: handle unbound port at reset_resume
    - USB: serial: io_edgeport: add missing active-port sanity check
    - USB: serial: quatech2: handle unbound ports
    - scsi: mptfusion: Fix double fetch bug in ioctl
    - usb: core: hub: Improved device recognition on remote wakeup
    - x86/efistub: Disable paging at mixed mode entry
    - mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio()
    - net: stmmac: 16KB buffer must be 16 byte aligned
    - net: stmmac: Enable 16KB buffer size
    - USB: serial: io_edgeport: use irqsave() in USB's complete callback
    - USB: serial: io_edgeport: handle unbound ports on URB completion
    - USB: serial: keyspan: handle unbound ports
    - scsi: fnic: use kernel's '%pM' format option to print MAC
    - scsi: fnic: fix invalid stack access
    - arm64: dts: agilex/stratix10: fix pmu interrupt numbers
    - netfilter: fix a use-after-free in mtype_destroy()
    - batman-adv: Fix DAT candidate selection on little endian systems
    - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit()
    - r8152: add missing endpoint sanity check
    - tcp: fix marked lost packets not being retransmitted
    - net: usb: lan78xx: limit size of local TSO packets
    - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk
    - cw1200: Fix a signedness bug in cw1200_load_firmware()
    - cfg80211: check for set_wiphy_params
    - scsi: esas2r: unlock on error in esas2r_nvram_read_direct()
    - scsi: qla4xxx: fix double free bug
    - scsi: bnx2i: fix potential use after free
    - scsi: target: core: Fix a pr_debug() argument
    - scsi: core: scsi_trace: Use get_unaligned_be*()
    - perf probe: Fix wrong address verification
    - regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id
    - Linux 4.4.211

* Xenial update: 4.4.210 upstream stable release (LP: #1859865)
    - chardev: Avoid potential use-after-free in 'chrdev_open()'
    - usb: chipidea: host: Disable port power only if previously enabled
    - ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5
    - kernel/trace: Fix do not unregister tracepoints when register
      sched_migrate_task fail
    - tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined
    - HID: Fix slab-out-of-bounds read in hid_field_extract
    - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll
    - HID: hid-input: clear unmapped usages
    - Input: add safety guards to input_set_keycode()
    - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
    - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting
    - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling
      to irq mode
    - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing
      CAN sk_buffs
    - staging: vt6656: set usb_set_intfdata on driver fail.
    - USB: serial: option: add ZLP support for 0x1bc7/0x9010
    - usb: musb: Disable pullup at init
    - usb: musb: dma: Correct parameter passed to IRQ handler
    - staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
    - tty: link tty and port before configuring it as console
    - tty: always relink the port
    - mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf
    - scsi: bfa: release allocated memory in case of error
    - rtl8xxxu: prevent leaking urb
    - USB: Fix: Don't skip endpoint descriptors with maxpacket=0
    - netfilter: arp_tables: init netns pointer in xt_tgchk_param struct
    - netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
    - Linux 4.4.210

* Xenial update: 4.4.209 upstream stable release (LP: #1859640)
    - PM / devfreq: Don't fail devfreq_dev_release if not in list
    - RDMA/cma: add missed unregister_pernet_subsys in init failure
    - scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func
    - scsi: qla2xxx: Don't call qlt_async_event twice
    - scsi: iscsi: qla4xxx: fix double free in probe
    - scsi: libsas: stop discovering if oob mode is disconnected
    - usb: gadget: fix wrong endpoint desc
    - md: raid1: check rdev before reference in raid1_sync_request func
    - s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits
    - s390/cpum_sf: Avoid SBD overflow condition in irq handler
    - xen/balloon: fix ballooned page accounting without hotplug enabled
    - xfs: fix mount failure crash on invalid iclog memory access
    - taskstats: fix data-race
    - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code
    - MIPS: Avoid VDSO ABI breakage due to global register variable
    - locks: print unsigned ino in /proc/locks
    - dmaengine: Fix access to uninitialized dma_slave_caps
    - compat_ioctl: block: handle Persistent Reservations
    - gpiolib: fix up emulated open drain outputs
    - ALSA: cs4236: fix error return comparison of an unsigned integer
    - ftrace: Avoid potential division by zero in function profiler
    - Bluetooth: btusb: fix PM leak in error case of setup
    - Bluetooth: delete a stray unlock
    - tty: serial: msm_serial: Fix lockup for sysrq and oops
    - drm/mst: Fix MST sideband up-reply failure handling
    - powerpc/pseries/hvconsole: Fix stack overread via udbg
    - ath9k_htc: Modify byte order for an error message
    - ath9k_htc: Discard undersized packets
    - net: add annotations on hh->hh_len lockless accesses
    - s390/smp: fix physical to logical CPU map for SMT
    - locking/x86: Remove the unused atomic_inc_short() methd
    - pstore/ram: Write new dumps to start of recycled zones
    - locking/spinlock/debug: Fix various data races
    - netfilter: ctnetlink: netns exit must wait for callbacks
    - ARM: vexpress: Set-up shared OPP table instead of individual for each CPU
    - netfilter: uapi: Avoid undefined left-shift in xt_sctp.h
    - ARM: dts: am437x-gp/epos-evm: fix panel compatible
    - powerpc: Ensure that swiotlb buffer is allocated from low memory
    - bnx2x: Do not handle requests from VFs after parity
    - bnx2x: Fix logic to get total no. of PFs per engine
    - net: usb: lan78xx: Fix error message format specifier
    - rfkill: Fix incorrect check to avoid NULL pointer dereference
    - ASoC: wm8962: fix lambda value
    - regulator: rn5t618: fix module aliases
    - kconfig: don't crash on NULL expressions in expr_eq()
    - parisc: Fix compiler warnings in debug_core.c
    - llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c)
    - net: stmmac: dwmac-sunxi: Allow all RGMII modes
    - net: usb: lan78xx: fix possible skb leak
    - pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM
    - sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY
    - tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK
    - vlan: vlan_changelink() should propagate errors
    - vlan: fix memory leak in vlan_dev_set_egress_priority
    - vxlan: fix tos value before xmit
    - macvlan: do not assume mac_header is set in macvlan_broadcast()
    - USB: core: fix check for duplicate endpoints
    - USB: serial: option: add Telit ME910G1 0x110a composition
    - Linux 4.4.209

* overlayfs : broken access to r/w files (LP: #1851243)
    - SAUCE: Revert "ovl: modify ovl_permission() to do checks on two inodes"

* net selftest psock_fanout fails on xenial s390x due to incorrect queue
    lengths (LP: #1853375)
    - selftests/net: cleanup unused parameter in psock_fanout
    - selftests/net: ignore background traffic in psock_fanout

* multi-zone raid0 corruption (LP: #1850540)
    - md/raid0: avoid RAID0 data corruption due to layout confusion.
    - md: add feature flag MD_FEATURE_RAID0_LAYOUT
    - md/raid0: fix warning message for parameter default_layout
    - md/raid0: Fix an error message in raid0_make_request()
    - SAUCE: md/raid0: Link to wiki with guidance on multi-zone RAID0 layout
      migration
    - SAUCE: md/raid0: Use kernel specific layout

* CVE-2019-20096
    - dccp: Fix memleak in __feat_register_sp

-- Khalid Elmously <khalid.elmously@canonical.com>  Wed, 29 Jan 2020 00:47:22 -0500