From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [oss-security] [CVE-2020-12114] Linux kernel denial of service by corrupting mountpoint reference counter
Date: Mon, 04 May 2020 12:18:21 +0100 [thread overview]
Message-ID: <998272E3-6CFA-4985-8808-99F0EBE1BC3A@ipfire.org> (raw)
In-Reply-To: <337d71f9-8712-6f61-c20c-36ec7c067835@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4474 bytes --]
Hello Peter,
Thank you for forwarding this.
I am not terribly worried about this one, because an attacker needs to have local access to the firewall which would normally not be possible.
Of course we will patch this as soon as possible, but I do not think this justifies an emergency update.
Best,
-Michael
> On 4 May 2020, at 12:12, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Hello Arne, hello * (cc'ed),
>
> for your information.
>
> Thanks, and best regards,
> Peter Müller
>
>
> -------- Forwarded Message --------
> Subject: [oss-security] [CVE-2020-12114] Linux kernel denial of service by corrupting mountpoint reference counter
> Date: Mon, 4 May 2020 00:24:19 +0100
> From: Piotr Krysiuk <piotras(a)gmail.com>
> Replies to: oss-security(a)lists.openwall.com
> To: oss-security(a)lists.openwall.com
>
> A race condition in fs/namespace.c in the Linux kernel allows unprivileged
> local users to cause a denial of service by corrupting mountpoint reference
> counter
>
> # Affected Versions
>
> The denial of service has been reproduced against the following Linux
> kernel releases from kernel.org:
> * 4.19.118 (longterm release)
> * 4.14.177 (longterm release)
> * 4.9.220 (longterm release)
> * 4.4.220 (longterm release)
>
> The denial of service has also been reproduced against the following
> distribution kernel versions provided by current Ubuntu LTS releases:
> * 5.0.0-1034-gcp (distribution kernel provided by package
> "linux-image-5.0.0-1034-gcp" from Ubuntu 18.04.4 LTS)
> * 4.15.0-1061-gcp (current distribution kernel provided by package
> "linux-image-4.15.0-1061-gcp" from Ubuntu 16.04.6 LTS with all updates
> installed)
>
> Linux kernel releases 5.3 and newer from kernel.org are not affected.
>
> # Root Cause
>
> Unprivileged local user can cause kernel panic by triggering destruction of
> a mountpoint that is still in use.
>
> This is possible by exploiting a race condition to corrupt mountpoint
> reference counter when simultaneously executing put_mountpoint() and
> pivot_root():
> * one thread increments m_count member of struct mountpoint
> [under namespace_sem, but not holding mount_lock]
> pivot_root()
> * another thread simultaneously decrements the same m_count
> [under mount_lock, but not holding namespace_sem]
> put_mountpoint()
> unhash_mnt()
> umount_mnt()
> mntput_no_expire()
>
> # Bug Fix
>
> To fix this race condition, grab mount_lock before updating m_count in
> pivot_root().
> This requires swapping two lines in fs/namespace.c:
> ```
> @@ -3142,8 +3142,8 @@ SYSCALL_DEFINE2(pivot_root, const char __user *,
> new_root,
> /* make certain new is below the root */
> if (!is_path_reachable(new_mnt, new.dentry, &root))
> goto out4;
> - root_mp->m_count++; /* pin it so it won't go away */
> lock_mount_hash();
> + root_mp->m_count++; /* pin it so it won't go away */
> detach_mnt(new_mnt, &parent_path);
> detach_mnt(root_mnt, &root_parent);
> if (root_mnt->mnt.mnt_flags & MNT_LOCKED) {
> ```
>
> The above fix has been merged into all relevant longterm branches by
> upstream Linux kernel.
>
> The following Linux kernel releases from kernel.org incorporate the fix:
> * 4.19.119 (longterm release), see commit
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.19.119&id=f511dc75d22e0c000fc70b54f670c2c17f5fba9a
> * 4.14.178 (current longterm release), see commit
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.14.178&id=e21c8c03af20932c15d8b1d3bb9cbad9607a6eab
> * 4.9.221 (current longterm release), see commit
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.9.221&id=91e997939dda1a866f23ddfb043dcd4a3ff57524
> * 4.4.221 (current longterm release), see commit
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.4.221&id=83354adbd7a967230bd23a547c5b695567ddba2c
>
> # Proof Of Concept
>
> I developed a PoC that allows unprivileged local users to reliably trigger
> kernel panic inside VM instances on Compute Engine of Google Cloud Platform.
>
> The PoC has been shared privately with <security(a)kernel.org> and via a
> private bug report with Ubuntu.
>
> # Discoverer
>
> Piotr Krysiuk <piotras(a)gmail.com>
>
> # References
>
> CVE-2020-12114 (reserved via https://cveform.mitre.org/)
>
prev parent reply other threads:[~2020-05-04 11:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAFzhf4qP-kM7S7AciJgv_j90bDN6J2nunEerPW3aDAN3OxCbzw@mail.gmail.com>
2020-05-04 11:12 ` Fwd: " Peter Müller
2020-05-04 11:18 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=998272E3-6CFA-4985-8808-99F0EBE1BC3A@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox