This bug was fixed in the package linux - 3.13.0-163.213 --------------- linux (3.13.0-163.213) trusty; urgency=medium
* linux: 3.13.0-163.213 -proposed tracker (LP: #1802769) * Bypass of mount visibility through userns + mount propagation (LP: #1789161) - mount: Retest MNT_LOCKED in do_umount - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts * dev test in ubuntu_stress_smoke_test cause kernel oops on T-3.13 (LP: #1797546) - drm: fix NULL pointer access by wrong ioctl * Packaging resync (LP: #1786013) - [Package] add support for specifying the primary makefile -- Thadeu Lima de Souza Cascardo <casca...@canonical.com> Tue, 13 Nov 2018 13:30:30 -0200 ** Changed in: linux (Ubuntu Trusty) Status: Fix Committed => Fix Released ** Changed in: linux (Ubuntu Cosmic) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18653 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-18955 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6559 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1789161 Title: Bypass of mount visibility through userns + mount propagation Status in linux package in Ubuntu: Fix Committed Status in linux source package in Trusty: Fix Released Status in linux source package in Xenial: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Fix Released Status in linux source package in Disco: Fix Committed Bug description: [Impact] Jonathan Calmels from NVIDIA reported that he's able to bypass the mount visibility security check in place in the Linux kernel by using a combination of the unbindable property along with the private mount propagation option to allow a unprivileged user to see a path which was purposefully hidden by the root user. [Test Case] Reproducer: # Hide a path to all users using a tmpfs root@castiana:~# mount -t tmpfs tmpfs /sys/devices/ root@castiana:~# # As an unprivileged user, unshare user namespace and mount namespace stgraber@castiana:~$ unshare -U -m -r # Confirm the path is still not accessible root@castiana:~# ls /sys/devices/ # Make /sys recursively unbindable and private root@castiana:~# mount --make-runbindable /sys root@castiana:~# mount --make-private /sys # Recursively bind-mount the rest of /sys over to /mnnt root@castiana:~# mount --rbind /sys/ /mnt # Access our hidden /sys/device as an unprivileged user root@castiana:~# ls /mnt/devices/ breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual [Regression Potential] Low. The fixes are relatively simple. Regressions would most likely be specific to software utilizing user namespaces + mount propagation which is a small (but often important) portion of the Ubuntu archive. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp