** Changed in: linux (Ubuntu) Status: Confirmed => Fix Released ** Information type changed from Private Security to Public Security
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-16120 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1894980 Title: CVE-2020-16120: unprivileged overlayfs permission checking Status in linux package in Ubuntu: Fix Released Bug description: Opening this as a tracking bug for CVE-2020-16120 Hi, while playing with shiftfs I've noticed a strange interaction with overlay and that seems to allow reading files under an accessible directory, even if they are not readable to the user who created the user namespace. While overlay would not accept a FUSE file system as upper layer, it seems the check doesn't work when it goes through a shiftfs layer. For the exploit purpose, I've used fuse-overlayfs only because I am familiar with it but I'd expect any FUSE file system to behave in the same way. The additional drop_unlink.patch patch is used only to inhibit deleting temporary files in fuse-overlayfs. The steps required are: 1) create a user namespace with an unprivileged user. 2) mount a FUSE file system where we have full control at M1. In the exploit fuse-overlayfs with a custom patch is used. 3) mount shiftfs from the FUSE mount M1 to a mountpoint M2. 4) mount overlay using /etc as lowerdir and M2 for the upperdir (and workdir). 5) attempt a "mv M2/shadow M2/something-else". The shadow file that is coming from the lower layer (/etc/shadow), is copied to the shiftfs and ultimately to the FUSE file system. The copy would fail but that happens too late, after the FUSE file system already received the file content. Since we have full control on the FUSE file system, we can access the content of /etc/shadow. For running the exploit, you need to have the fuse-overlayfs dependencies installed (libc6-dev gcc g++ make automake autoconf pkgconf libfuse3-dev). It is enough to run "make" as unprivileged user and if the exploit succeeds you get the content of the /etc/shadow file under the result/ directory. Tested on Ubuntu 20.04 with Linux 5.4.0-42-generic. Thanks, Giuseppe To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1894980/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp