ACK: [SRU][J][PATCH v2 0/2] CVE-2023-2640 and CVE-2023-32629

Alessio Faina alessio.faina at canonical.com
Wed Apr 8 07:20:07 UTC 2026 

On Mon, Apr 06, 2026 at 01:30:08PM +0200, Massimiliano Pellizzer wrote:
> [ Impact ]
> 
> An unprivileged local user can obtain root privileges by exploiting the
> OverlayFS copy-up path. By setting scoped file capabilities inside a user
> namespace and triggering a copy-up, the kernel writes unscoped (globally
> effective) capabilities to the upper directory via __vfs_setxattr_noperm(),
> bypassing cap_convert_nscap(). The resulting binary grants any chosen
> capability to any user who executes it.
> 
> [ Fix ]
> 
> The first patch reverts the SAUCE patch that replaced vfs_setxattr() with
> __vfs_setxattr_noperm() in ovl_do_setxattr(), restoring full VFS
> permission checks and security transformations (including
> cap_convert_nscap()) for all OverlayFS xattr operations.
> 
> The second patch applies a new SAUCE patch that auto-enables
> the "userxattr" mount option when OverlayFS is mounted from a non-initial
> user namespace, switching internal metadata to the unprivileged
> user.overlay.* namespace. This preserves unprivileged mount functionality
> without bypassing the VFS security layer.
> 
> [ Test Plan ]
> 
> The patchset has been tested, security wise, using multiple available
> known exploits.
> Moreover, the patchset has been tested with the following bash script
> to make sure it does not introduce any regression in functionalities:
> ```
>   #!/bin/sh -ex
>   dir=`mktemp -d`
> 
>   cleanup() {
>     umount -l $dir/t
>     rm -rf $dir
>   }
>   trap cleanup EXIT
> 
>   echo "dir is $dir"
>   mkdir -p $dir/l $dir/u $dir/w $dir/t
>   mkdir $dir/l/dev
>   mount -t overlay -o lowerdir=$dir/l,upperdir=$dir/u,workdir=$dir/w o $dir/t
>   stat $dir/t/dev
>   rmdir $dir/t/dev
>   mkdir $dir/t/dev
>   echo $?
>   echo "mkdir should have succeeded"
> ```
> 
> [ Regression Potential ]
> 
> Reverting the first SAUCE patch re-enables VFS permission checks on all
> OverlayFS xattr writes. Without patch 2, any unprivileged user namespace
> OverlayFS mount would fail with EPERM on trusted.overlay.* writes. Patch 2
> mitigates this by redirecting to user.overlay.*.
> A regression is possible if existing overlays on disk carry trusted.overlay.*
> xattrs written by a prior kernel.
> Newly created overlays are unaffected. Container runtimes operating as real root
> are also unaffected as they mount from init_user_ns.
> 
> [ Chages between v1 and v2 ]
> 
> Fixed typo in commit message of the first patch.
> 
> Massimiliano Pellizzer (2):
>   UBUNTU: SAUCE: Revert "UBUNTU: SAUCE: overlayfs: Skip permission
>     checking for trusted.overlayfs.* xattrs"
>   UBUNTU: SAUCE: overlayfs: default to userxattr when mounted from non
>     initial user namespace
> 
>  fs/overlayfs/overlayfs.h | 15 ++-------------
>  fs/overlayfs/super.c     | 10 ++++++++++
>  fs/xattr.c               | 36 ++++++------------------------------
>  include/linux/xattr.h    |  1 -
>  4 files changed, 18 insertions(+), 44 deletions(-)
> 
> -- 
> 2.51.0
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Alessio Faina <alessio.faina at canonical.com>

More information about the kernel-team mailing list