Issue metadata
Sign in to add a comment
|
CVE-2018-6559 CrOS: Vulnerability reported in Linux kernel |
||||||||||||||||||||||
Issue descriptionVOMIT (go/vomit) has received an external vulnerability report for the Linux kernel. Advisory: CVE-2018-6559 Details: http://vomit.googleplex.com/advisory?id=CVE/CVE-2018-6559 CVSS severity score: 2.1/10.0 Description: The Linux kernel, as used in Ubuntu 18.04 LTS and Ubuntu 18.10, allows local users to obtain names of files in which they would not normally be able to access via an overlayfs mount inside of a user namespace. This bug was filed by http://go/vomit Please contact us at vomit-team@google.com if you need any assistance.
,
Dec 7
,
Dec 7
The two patches are :-
- eea2fb4851e9 ("ovl: proper cleanup of workdir")
present in v4.4, v4.14, chromeos-4.19
- c0ca3d70e8d3 ("ovl: modify ovl_permission() to do checks on two inodes")
present in v4.14, chromeos-4.19. Seems to cause a conflict when applying to v4.4.
Marking as WontFix.
,
Dec 7
,
Dec 7
,
Dec 11
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/108f367d095921119cefe303721a49f96a60d574 commit 108f367d095921119cefe303721a49f96a60d574 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Tue Dec 11 00:00:32 2018 UPSTREAM: Make file credentials available to the seqfile interfaces commit 34dbbcdbf63360661ff7bda6c5f52f99ac515f92 upstream. A lot of seqfile users seem to be using things like %pK that uses the credentials of the current process, but that is actually completely wrong for filesystem interfaces. The unix semantics for permission checking files is to check permissions at _open_ time, not at read or write time, and that is not just a small detail: passing off stdin/stdout/stderr to a suid application and making the actual IO happen in privileged context is a classic exploit technique. So if we want to be able to look at permissions at read time, we need to use the file open credentials, not the current ones. Normal file accesses can just use "f_cred" (or any of the helper functions that do that, like file_ns_capable()), but the seqfile interfaces do not have any such options. It turns out that seq_file _does_ save away the user_ns information of the file, though. Since user_ns is just part of the full credential information, replace that special case with saving off the cred pointer instead, and suddenly seq_file has all the permission information it needs. BUG= chromium:912891 TEST=None Change-Id: I9b50641b597a008e13415fe45acd307378188df6 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Jann Horn <jannh@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 685adc73d6118863b385cd7084ecde7cd805b0a6 from linux-3.18.y) Signed-off-by: Zubin Mithra <zsm@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1368282 [modify] https://crrev.com/108f367d095921119cefe303721a49f96a60d574/fs/seq_file.c [modify] https://crrev.com/108f367d095921119cefe303721a49f96a60d574/include/linux/seq_file.h
,
Dec 11
#6: Correction, the patch is a fix for crbug.com/912887, not this bug. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kerrnel@chromium.org
, Dec 7