Bug 1886387 (CVE-2020-16120) - CVE-2020-16120 kernel: incorrect unprivileged overlayfs permission checking may lead to information disclosure
Summary: CVE-2020-16120 kernel: incorrect unprivileged overlayfs permission checking m...
Keywords:
Status: NEW
Alias: CVE-2020-16120
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1892250 1892251 1892252 1892253 1892254 1892255 1892256
Blocks: 1886388
TreeView+ depends on / blocked
 
Reported: 2020-10-08 10:59 UTC by Marian Rehak
Modified: 2020-10-28 10:01 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. When using shiftfs with overlayfs and fuse, it is possible to receive the data of files that are supposed to be not readable by the mounter before setting up permissions. It is also possible to copy these files to another mountpoint like a removable device. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2020-10-08 10:59:58 UTC
Using shiftfs with overlayfs and fuse, it was possible to receive the data of files that were not readable by the mounter before setting up permissions. It was later found that by only using user namespaces and overlayfs, it was possible to have a file not readable by the unprivileged user to be copied to a mountpoint controlled by such user, like a removable device.

Comment 2 Wade Mealing 2020-10-20 04:09:43 UTC
It is my understanding that the attacker must have a number of conditions in place for this attack to work correctly.

The target file must exist on an overlay filesystem. 
The target file must be accessible in the namespace.
The destination must be writable by the exploiting target.

This doesn't mean that the attacker can choose what the target is, only that the information within the original file can accessed by bypassing existing permissions..


Note You need to log in before you can comment on or make changes to this bug.