pt_chown timeline, CVE request [was: Access to /dev/pts devices via pt_chown and user namespaces]

[Jann Horn <jann () thejh net>]

Because this can realistically lead to a privilege escalation to root,
I would like to request CVE identifier allocation if that hasn't
already happened.

On Tue, Feb 23, 2016 at 12:03:54PM +0000, halfdog wrote:
> The logic above is severely flawed, when there can be more than one
> master/slave pair having the same number and thus same name. But this
> condition can be easily created by creating an user namespace,
> mounting devpts with the newinstance option, create master and slave
> pts pairs until the number overlaps with a target pts outside the
> namespace on the host, where there is interest to gain ownership and
> then invoke pt_chown.
[...]
> In my opinion, this security bug should be fixed two-fold: At first,
> kernel should prevent the TIOCGPTN ioctl when invoked called by a
> process within one namespace but acting on a filedescriptor from a
> devpts instance mounted in a different namespace.

As mentioned in the private discussion about the bug (I think), that
only works if you assume that there are no chroot directories with
other devpts instances mounted in the init namespace or so.


> Additionally
> pt_chown should check via readlink and stat, that the passed file
> descriptor really was from the /dev/ptmx or /dev/pts/ptmx device
> present in the same namespace as the /dev/pts/[num] device is
> residing.

> This of course is only relevant if pt_chown is going to
> survive on recent namespace aware systems.

As others figured out in the private bug discussion, pt_chown is
already not installed as setuid binary by glibc anymore.
That it is present in Debian and Ubuntu is because of a distro patch
in Debian, which Debian applied to work around the bug that the
"[PATCH] devpts: Sensible /dev/ptmx & force newinstance" patch is
supposed to fix. So with a fix for that issue applied, Debian and
Ubuntu should be able to just drop the distro patch, fixing the
vuln by removing pt_chown.


> Timeline:
> =========
>
>     20151220: Discovery
>     20151227: Report at Ubuntu Launchpad1529486
>     20160104: Report to distros list
>     20160122: Patch to disable unprivileged userns due to this and
> other issues LKML
>     20160222: CRD and publication

I also discovered this. Let me share my timeline:

2015-07-28: reported to security () debian org
[some discussion]
2015-12-04: Florian Weimer suggests public disclosure
2015-12-05: I report the issue to security () kernel org, security () ubuntu com,
  security () debian org, Aurelien Jarno <aurelien () aurel32 net>,
  Florian Weimer <fw () deneb enyo de> and ask whether anyone can fix it
2015-12-05 until 2015-12-19: the issue is discussed and fix approaches
  are considered, mostly by kernel developers, privately
2015-12-11: Parts of this land on LKML for the first time in the
  "[PATCH] devpts: Sensible /dev/ptmx & force newinstance" email from
  Eric W. Biederman to LKML and the participants of the private email
  thread (https://lkml.org/lkml/2015/12/11/760), and in the following
  public discussion, it's possible to see mentions of the security issue.

Attachment: signature.asc
Description: Digital signature