Bug 1886387 (CVE-2020-16120)

Summary: CVE-2020-16120 kernel: incorrect unprivileged overlayfs permission checking may lead to information disclosure
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, bhu, blc, bmasney, dvlasenk, hdegoede, hkrzesin, ichavero, itamar, jarodwilson, jeremy, jforbes, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mjg59, mlangsdo, mszeredi, nmurray, ptalbert, qzhao, rkeshri, rt-maint, rvrbovsk, steved, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the User namespace on an overlay filesystem in the Linux Kernel, Where a file with no access privilege was able to copy the file to a user defined mount point. An attacker with a special user privilege locally may lead to a kernel information leak problem.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1892250, 1892251, 1892252, 1892253, 1892254, 1892255, 1892256, 1904922, 1904923, 1904924, 1904925, 1904926    
Bug Blocks: 1886388    

Description Marian Rehak 2020-10-08 10:59:58 UTC
A flaw was found in the User namespace on an overlay filesystem in the Linux Kernel, Where a file with no access privilege was able to copy the file to a user defined mount point. An attacker with a special user privilege locally may lead to a kernel information leak problem.


Upstream fix:

48bd024b8a40d73ad6b086de2615738da0c7004f ("ovl: switch to mounter creds in readdir")
56230d956739b9cb1cbde439d76227d77979a04d ("ovl: verify permissions in ovl_path_open()")
05acefb4872dae89e772729efb194af754c877e8 ("ovl: check permission to open real file")

Comment 2 Wade Mealing 2020-10-20 04:09:43 UTC
It is my understanding that the attacker must have a number of conditions in place for this attack to work correctly.

The target file must exist on an overlay filesystem. 
The target file must be accessible in the namespace.
The destination must be writable by the exploiting target.

This doesn't mean that the attacker can choose what the target is, only that the information within the original file can accessed by bypassing existing permissions..

Comment 18 Rohit Keshri 2020-12-07 20:18:20 UTC
Mitigation:

Red Hat feels this flaw needs a number of conditions in place for the attacker to exploit, and  the mitigation for this issue is to avoid a  target file t existing on an overlay filesystem,  accessible in the namespace, which is  writable by the exploiting target.