Re: CLONE_NEWUSER|CLONE_FS root exploit

[Agostino Sarubbo <ago () gentoo org>]

On Wednesday 13 March 2013 18:33:00 Greg KH wrote:
> On Thu, Mar 14, 2013 at 09:03:20AM +0800, Eugene Teo wrote:
> > On 14 Mar, 2013, at 8:59 AM, Eugene Teo <eugeneteo () kernel sg> wrote:
> > > On 13 Mar, 2013, at 11:39 PM, Sebastian Krahmer <krahmer () suse de> wrote:
> > > > Hi,
> > > >
> > > > Seems like CLONE_NEWUSER|CLONE_FS might be a forbidden
> > > > combination.
> > > > During evaluating the new user namespace thingie, it turned out
> > > > that its trivially exploitable to get a (real) uid 0,
> > > > as demonstrated here:
> > > >
> > > > http://stealth.openwall.net/xSports/clown-newuser.c
> > > >
> > > > The trick is to setup a chroot in your CLONE_NEWUSER,
> > > > but also affecting the parent, which is running
> > > > in the init_user_ns, but with the chroot shared.
> > > > Then its trivial to get a rootshell from that.
> > > >
> > > > Tested on a openSUSE12.1 with a custom build 3.8.2 (x86_64).
> > > >
> > > > I hope I didnt make anything wrong, mixing up the UIDs,
> > > > or disabled important checks during kernel build on my test
> > > > system. ;)
> > >
> > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?
> > > id=aea8b5d1e5c5482e7cdda849dc16d728f7080289> 
> > I realised that the link is incorrect. Will post again when I see the
> > patches.
> It is commit e66eded8309ebf679d3d3c1f5820d1f2ca332c71 in Linus's tree,
> so replace the sha in the above link with this one instead.

Someone know exactly in which version the bug appears and which series are 
affected?
-- 
Agostino Sarubbo
Gentoo Linux Developer