Re: CVE-2014-7970: Linux VFS denial of service

[Andy Lutomirski <luto () amacapital net>]

On 10/08/2014 12:48 PM, Andy Lutomirski wrote:
> pivot_root has a bug.  Exploiting it at all is tricky, but it can be
> done.  I'm reasonably confident that this is just denial of service.
> (There's also probably an information disclosure in there, but I think
> that it's only available to root, so it's not a big deal.)
>
> I'm posting this a little bit early, since a patch is publicly
> available, the impact is low, and hitting the bad code path at all is
> quite tedious.  I'll send a proof of concept later on.
>
> Distros: if you need a test case to validate the fix, let me know.
> Although, for validation, it should be sufficient to just chroot
> somewhere as root, escape the chroot (while still chrooted), and then
> pivot_root(".", ".") on a mountpoint.
>
> Candidate patch here:
>
> http://news.gmane.org/find-root.php?message_id=87bnpmihks.fsf%40x220.int.ebiederm.org

The mitre.org description is:

The pivot_root implementation in fs/namespace.c in the Linux kernel
through 3.17 does not properly interact with certain locations of a
chroot directory, which allows local users to cause a denial of service
(mount-tree loop) via . (dot) values in both arguments to the pivot_root
system call.

This is a bit misleading.  Passing "." to both arguments of the
pivot_root system call is a perfectly fine (albeit brain-bending) thing
to do.

The bug was that, if either argument to pivot_root referred to a
directory outside of the calling processes's chroot, then pivot_root
would malfunction, corrupting the mount tree.

--Andy