1886387 – (CVE-2020-16120) CVE-2020-16120 kernel: incorrect unprivileged overlayfs permission checking may lead to information disclosure

Bug 1886387 (CVE-2020-16120) - CVE-2020-16120 kernel: incorrect unprivileged overlayfs permission checking may lead to information disclosure

Summary: CVE-2020-16120 kernel: incorrect unprivileged overlayfs permission checking m...

Keywords:
Status:	NEW
Alias:	CVE-2020-16120
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1892250 1892251 1892252 1892253 1892254 1892255 1892256 1904922 1904923 1904924 1904925 1904926
Blocks:	1886388
TreeView+	depends on / blocked

Reported:	2020-10-08 10:59 UTC by Marian Rehak
Modified:	2024-01-19 19:11 UTC (History)
CC List:	40 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the User namespace on an overlay filesystem in the Linux Kernel, Where a file with no access privilege was able to copy the file to a user defined mount point. An attacker with a special user privilege locally may lead to a kernel information leak problem.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2020-10-08 10:59:58 UTC

A flaw was found in the User namespace on an overlay filesystem in the Linux Kernel, Where a file with no access privilege was able to copy the file to a user defined mount point. An attacker with a special user privilege locally may lead to a kernel information leak problem.


Upstream fix:

48bd024b8a40d73ad6b086de2615738da0c7004f ("ovl: switch to mounter creds in readdir")
56230d956739b9cb1cbde439d76227d77979a04d ("ovl: verify permissions in ovl_path_open()")
05acefb4872dae89e772729efb194af754c877e8 ("ovl: check permission to open real file")

Comment 2 Wade Mealing 2020-10-20 04:09:43 UTC

It is my understanding that the attacker must have a number of conditions in place for this attack to work correctly.

The target file must exist on an overlay filesystem. 
The target file must be accessible in the namespace.
The destination must be writable by the exploiting target.

This doesn't mean that the attacker can choose what the target is, only that the information within the original file can accessed by bypassing existing permissions..

Comment 18 Rohit Keshri 2020-12-07 20:18:20 UTC

Mitigation:

Red Hat feels this flaw needs a number of conditions in place for the attacker to exploit, and  the mitigation for this issue is to avoid a  target file t existing on an overlay filesystem,  accessible in the namespace, which is  writable by the exploiting target.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
airlied
bhu
blc
bmasney
dvlasenk
hdegoede
hkrzesin
ichavero
itamar
jarodwilson
jeremy
jforbes
jlelli
john.j5live
jonathan
josef
jross
jshortt
jstancek
jwboyer
kcarcia
kernel-maint
kernel-mgr
lgoncalv
linville
masami256
mchehab
mjg59
mlangsdo
mszeredi
nmurray
ptalbert
qzhao
rkeshri
rt-maint
rvrbovsk
steved
williams
wmealing