Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Oct 2014 17:32:13 -0700
From: Andy Lutomirski <luto@...capital.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-7970: Linux VFS denial of service

On 10/08/2014 12:48 PM, Andy Lutomirski wrote:
> pivot_root has a bug.  Exploiting it at all is tricky, but it can be
> done.  I'm reasonably confident that this is just denial of service.
> (There's also probably an information disclosure in there, but I think
> that it's only available to root, so it's not a big deal.)
> 
> I'm posting this a little bit early, since a patch is publicly
> available, the impact is low, and hitting the bad code path at all is
> quite tedious.  I'll send a proof of concept later on.
> 
> Distros: if you need a test case to validate the fix, let me know.
> Although, for validation, it should be sufficient to just chroot
> somewhere as root, escape the chroot (while still chrooted), and then
> pivot_root(".", ".") on a mountpoint.
> 
> Candidate patch here:
> 
> http://news.gmane.org/find-root.php?message_id=87bnpmihks.fsf%40x220.int.ebiederm.org
> 

The mitre.org description is:

The pivot_root implementation in fs/namespace.c in the Linux kernel
through 3.17 does not properly interact with certain locations of a
chroot directory, which allows local users to cause a denial of service
(mount-tree loop) via . (dot) values in both arguments to the pivot_root
system call.

This is a bit misleading.  Passing "." to both arguments of the
pivot_root system call is a perfectly fine (albeit brain-bending) thing
to do.

The bug was that, if either argument to pivot_root referred to a
directory outside of the calling processes's chroot, then pivot_root
would malfunction, corrupting the mount tree.

--Andy

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ