[Bug 1509752] Re: Bug in ensure_not_symlink() from 0003-CVE-2015-1335.patch

Wed, 28 Oct 2015 09:28:07 -0700 

** Description changed:

- This bug/limitation is present in lxc from 1.0.7-0ubuntu0.5 through
- 1.0.7-0ubuntu0.9 (or anything that incorporates
- 0003-CVE-2015-1335.patch).  Basically, the limitation is obvious when
- using recursive bind mounts because ensure_not_symlink() only checks the
- last line of /proc/self/mountinfo which will be a submount so will
- always fail the test and trigger:
+ =======================================================================
+ SRU Justification
+ Impact: cannot start containers with lxc.mount.entries which are recursive 
bind mounts
+ Regression potential: this makes assumptions about the ordering of 
/proc/self/mountinfo, but no more so than the original CVE patch.  So it should 
not regress from the previous lxc version.
+ Test case:
+ 
+ #!/bin/sh
+ set -ex
+ cleanup() {
+         umount /mnt/etc /mnt/proc || true
+         lxc-stop -n t1 -k || true
+         lxc-destroy -n t1  || true
+ }
+ trap cleanup EXIT
+ mkdir -p /mnt/etc /mnt/proc
+ mount --bind /etc /mnt/etc
+ mount --bind /proc /mnt/proc
+ lxc-create -t download -n t1 -- -d ubuntu -r trusty -a amd64
+ cat >> /var/lib/lxc/t1/config << EOF
+ lxc.mount.entry = /mnt hostmnt none rbind,create=dir
+ EOF
+ lxc-start -n t1 -F -l trace -o /dev/stdout
+ echo "DONE"
+ 
+ =======================================================================
+ This bug/limitation is present in lxc from 1.0.7-0ubuntu0.5 through 
1.0.7-0ubuntu0.9 (or anything that incorporates 0003-CVE-2015-1335.patch).  
Basically, the limitation is obvious when using recursive bind mounts because 
ensure_not_symlink() only checks the last line of /proc/self/mountinfo which 
will be a submount so will always fail the test and trigger:
  
  ensure_not_symlink: 1413 Mount onto /usr/lib/x86_64-linux-
  gnu/lxc/storage resulted in /usr/lib/x86_64-linux-
  gnu/lxc/storage/submount, not /usr/lib/x86_64-linux-gnu/lxc/storage
  
  Sorry if this is a duplicate, I did spend quite some time trying to find
  a similar report.
  
  Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1509752

Title:
  Bug in ensure_not_symlink() from 0003-CVE-2015-1335.patch

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1509752/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Reply via email to