oss-sec mailing list archives
pt_chown timeline, CVE request [was: Access to /dev/pts devices via pt_chown and user namespaces]
From: Jann Horn <jann () thejh net>
Date: Sun, 28 Feb 2016 15:53:56 +0100
Because this can realistically lead to a privilege escalation to root, I would like to request CVE identifier allocation if that hasn't already happened. On Tue, Feb 23, 2016 at 12:03:54PM +0000, halfdog wrote:
The logic above is severely flawed, when there can be more than one master/slave pair having the same number and thus same name. But this condition can be easily created by creating an user namespace, mounting devpts with the newinstance option, create master and slave pts pairs until the number overlaps with a target pts outside the namespace on the host, where there is interest to gain ownership and then invoke pt_chown.
[...]
In my opinion, this security bug should be fixed two-fold: At first, kernel should prevent the TIOCGPTN ioctl when invoked called by a process within one namespace but acting on a filedescriptor from a devpts instance mounted in a different namespace.
As mentioned in the private discussion about the bug (I think), that only works if you assume that there are no chroot directories with other devpts instances mounted in the init namespace or so.
Additionally pt_chown should check via readlink and stat, that the passed file descriptor really was from the /dev/ptmx or /dev/pts/ptmx device present in the same namespace as the /dev/pts/[num] device is residing.
This of course is only relevant if pt_chown is going to survive on recent namespace aware systems.
As others figured out in the private bug discussion, pt_chown is already not installed as setuid binary by glibc anymore. That it is present in Debian and Ubuntu is because of a distro patch in Debian, which Debian applied to work around the bug that the "[PATCH] devpts: Sensible /dev/ptmx & force newinstance" patch is supposed to fix. So with a fix for that issue applied, Debian and Ubuntu should be able to just drop the distro patch, fixing the vuln by removing pt_chown.
Timeline: ========= 20151220: Discovery 20151227: Report at Ubuntu Launchpad1529486 20160104: Report to distros list 20160122: Patch to disable unprivileged userns due to this and other issues LKML 20160222: CRD and publication
I also discovered this. Let me share my timeline: 2015-07-28: reported to security () debian org [some discussion] 2015-12-04: Florian Weimer suggests public disclosure 2015-12-05: I report the issue to security () kernel org, security () ubuntu com, security () debian org, Aurelien Jarno <aurelien () aurel32 net>, Florian Weimer <fw () deneb enyo de> and ask whether anyone can fix it 2015-12-05 until 2015-12-19: the issue is discussed and fix approaches are considered, mostly by kernel developers, privately 2015-12-11: Parts of this land on LKML for the first time in the "[PATCH] devpts: Sensible /dev/ptmx & force newinstance" email from Eric W. Biederman to LKML and the participants of the private email thread (https://lkml.org/lkml/2015/12/11/760), and in the following public discussion, it's possible to see mentions of the security issue.
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Access to /dev/pts devices via pt_chown and user namespaces halfdog (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Solar Designer (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Dmitry V. Levin (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces halfdog (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Simon McVittie (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Dmitry V. Levin (Feb 24)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Serge Hallyn (Feb 24)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Jakub Wilk (Feb 27)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Dmitry V. Levin (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Solar Designer (Feb 23)
- Re: Access to /dev/pts devices via pt_chown and user namespaces Alan Coopersmith (Feb 23)