Re: [PATCH review 4/4] vfs: Do not allow escaping from bind mounts.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Al Viro <viro@xxxxxxxxxxxxxxxxxx> writes:

> On Wed, Apr 08, 2015 at 06:34:12PM -0500, Eric W. Biederman wrote:
>> +	if (ancestor) {
>> +		mark_violated_mounts(dentry, ancestor);
>> +		mark_violated_mounts(target, ancestor);
>> +	}
>
> Umm...  Both sides the same way, regardless of whether it's exchange or
> move?  Looks wrong...

I am pretty certain it can cause d_path to become an information leak
if we do not.

> Look:
>
> mkdir /tmp/a
> mkdir /tmp/b
> mkdir /tmp/c
> mkdir /tmp/b/c
> touch /tmp/a/x
> mount --bind /tmp/b /tmp/c
> mv /tmp/a/x /tmp/b/c/x
>
> should that make the vfsmount on /tmp/c violated?  And if so, why?

If /tmp is a mount point and before the move there was a:
touch /tmp/b/c/x

And a process opened /tmp/c/c/x.
d_path on that file descriptor before __d_move would say:

/tmp/c/c/x

after the __d_move d_path would say:

/tmp/c/a/x

Which is bizareely weird in this example, and could potentially be
an expolitable information leak in the hands of someone who knew
what they were doing.

I am not clever enough to take that deleted directory and walk up the
tree, so the damage may be limited to seeing the true path on the
fileystem.  But it just may be that I am dense today.

Furthermore all of the relevant changes to the dentry that happen 
when exchange is true also happen when exchange is false, so I am very
reluctant to believe that the non-exchange case is not exploitable by a
sufficiently clever individual.

Eric

_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers




[Index of Archives]     [Cgroups]     [Netdev]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux