[Bug 1507463] Re: OverlayFS: Wrong mnt_id and path reported in /proc in linux-3.13
oleg
1507463 at bugs.launchpad.net
Thu Oct 22 02:57:30 UTC 2015
The following lxc commit introduced safe_mount(), which passes fd's as
arguments to mount(),
CVE-2015-1335: Protect container mounts against symlinks
https://github.com/lxc/lxc/commit/6de26af93d3dd87c8b21a42fdf20f30fa1c1948d
Here is the relevant part of the commit, which creates a file descriptor
and passes it to mount().
+ destfd = open_without_symlink(dest, rootfs);
+ if (destfd < 0) {
+ if (srcfd != -1)
+ close(srcfd);
+ return destfd;
+ }
+
+ ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd);
+ if (ret < 0 || ret > 50) {
+ if (srcfd != -1)
+ close(srcfd);
+ close(destfd);
+ ERROR("Out of memory");
+ return -EINVAL;
+ }
+
+ ret = mount(mntsrc, destbuf, fstype, flags, data);
The strace of mount() shows,
strace: mount("/home/ubuntu/test.txt", "/proc/self/fd/16",
0x7ffd4c3f7fdb, MS_BIND, NULL) = -1 EACCES (Permission denied)
The mount fails because /proc/self/fd/16, which should point to a file
in overlayfs, has an invalid value.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1507463
Title:
OverlayFS: Wrong mnt_id and path reported in /proc in linux-3.13
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1507463/+subscriptions
More information about the Ubuntu-server-bugs
mailing list