oss-sec mailing list archives
Re: USERNS allows circumventing MNT_LOCKED - Linux kernel
From: cve-assign () mitre org
Date: Sat, 18 Apr 2015 00:12:34 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
In October 2014, Andrey Vagin reported[1] to the Linux Containers list that it would be possible to use user namespaces to circumvent MNT_LOCKED and allow unprivileged users to access the directory structure underneath of mounts. A PoC was also produced and is public. Patches are now available and proposed to Linus[2]. [1] https://groups.google.com/forum/#!topic/linux.kernel/HnegnbXk0Vs [2] http://www.spinics.net/lists/linux-containers/msg30786.html
Use CVE-2014-9717 for the "The semantics of MNT_LOCKED are that you aren't allowed to see what is beneath. So if you can get under there even by unsharing the mount namespace it is an implementation bug in MNT_LOCKED." issue in the http://marc.info/?l=linux-kernel&m=141271552117745&w=2 post. The scope of CVE-2014-9717 does not include the entire set of issues discussed in the msg30786.html post. In particular, a different part of that msg30786.html page already has a CVE mapping in the http://openwall.com/lists/oss-security/2015/04/04/4 post. There currently isn't a CVE ID for the "While investigating this issue I also found an issue with __detach_mounts. The code was unnecessarily and incorrectly triggering mount propagation. Resulting in too many mounts going away when a directory is deleted, and too many cpu cycles are burned while doing that." finding (which seems to be in the http://www.spinics.net/lists/linux-containers/msg30789.html post). If an unprivileged user could have launched a worthwhile attack by deleting a directory in certain circumstances, then we can assign a separate CVE ID for that issue. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVMdexAAoJEKllVAevmvmsYEYH/RP6wqZ1QxfWEGPAhk7uPXOl 6RQePUIzYXzMSPG5dHO4VgSwLwW+PGs6/muJ7DsXTdue+PykD2LRIxu6ycQIxogy xavEzRJGSZNTtS1X6sVIhdiMuWQQTdNGwEnH4qp5lamVzJQjKcTDRJbSHVpZVydA 0n4Qw6U505KloFVX2Rjk/mvSyHg2COKaBbbkXRa3vV3J9QVlUp1SZgyetQkvMpee XkpQ6yXsuDM5WsViip41tLqy9ch8JSGFSOdP0uwK0MicWeGIOk7ItS6mQFlTYPvi pM1eWFrYhU4vfECPcQsG/ATWD0ylZWrydEbk8Qaw6GGOEpEPAjWMAOqa2t4bR5U= =xBBT -----END PGP SIGNATURE-----
Current thread:
- USERNS allows circumventing MNT_LOCKED Eric Windisch (Apr 17)
- Re: USERNS allows circumventing MNT_LOCKED - Linux kernel cve-assign (Apr 17)