ACK: [SRU][J][PATCH v2 0/2] CVE-2023-2640 and CVE-2023-32629

Mehmet Basaran mehmet.basaran at canonical.com
Thu Apr 9 07:10:18 UTC 2026 

Acked-by: Mehmet Basaran <mehmet.basaran at canonical.com>

-------------- next part --------------
Massimiliano Pellizzer <massimiliano.pellizzer at canonical.com> writes:

> [ Impact ]
>
> An unprivileged local user can obtain root privileges by exploiting the
> OverlayFS copy-up path. By setting scoped file capabilities inside a user
> namespace and triggering a copy-up, the kernel writes unscoped (globally
> effective) capabilities to the upper directory via __vfs_setxattr_noperm(),
> bypassing cap_convert_nscap(). The resulting binary grants any chosen
> capability to any user who executes it.
>
> [ Fix ]
>
> The first patch reverts the SAUCE patch that replaced vfs_setxattr() with
> __vfs_setxattr_noperm() in ovl_do_setxattr(), restoring full VFS
> permission checks and security transformations (including
> cap_convert_nscap()) for all OverlayFS xattr operations.
>
> The second patch applies a new SAUCE patch that auto-enables
> the "userxattr" mount option when OverlayFS is mounted from a non-initial
> user namespace, switching internal metadata to the unprivileged
> user.overlay.* namespace. This preserves unprivileged mount functionality
> without bypassing the VFS security layer.
>
> [ Test Plan ]
>
> The patchset has been tested, security wise, using multiple available
> known exploits.
> Moreover, the patchset has been tested with the following bash script
> to make sure it does not introduce any regression in functionalities:
> ```
>   #!/bin/sh -ex
>   dir=`mktemp -d`
>
>   cleanup() {
>     umount -l $dir/t
>     rm -rf $dir
>   }
>   trap cleanup EXIT
>
>   echo "dir is $dir"
>   mkdir -p $dir/l $dir/u $dir/w $dir/t
>   mkdir $dir/l/dev
>   mount -t overlay -o lowerdir=$dir/l,upperdir=$dir/u,workdir=$dir/w o $dir/t
>   stat $dir/t/dev
>   rmdir $dir/t/dev
>   mkdir $dir/t/dev
>   echo $?
>   echo "mkdir should have succeeded"
> ```
>
> [ Regression Potential ]
>
> Reverting the first SAUCE patch re-enables VFS permission checks on all
> OverlayFS xattr writes. Without patch 2, any unprivileged user namespace
> OverlayFS mount would fail with EPERM on trusted.overlay.* writes. Patch 2
> mitigates this by redirecting to user.overlay.*.
> A regression is possible if existing overlays on disk carry trusted.overlay.*
> xattrs written by a prior kernel.
> Newly created overlays are unaffected. Container runtimes operating as real root
> are also unaffected as they mount from init_user_ns.
>
> [ Chages between v1 and v2 ]
>
> Fixed typo in commit message of the first patch.
>
> Massimiliano Pellizzer (2):
>   UBUNTU: SAUCE: Revert "UBUNTU: SAUCE: overlayfs: Skip permission
>     checking for trusted.overlayfs.* xattrs"
>   UBUNTU: SAUCE: overlayfs: default to userxattr when mounted from non
>     initial user namespace
>
>  fs/overlayfs/overlayfs.h | 15 ++-------------
>  fs/overlayfs/super.c     | 10 ++++++++++
>  fs/xattr.c               | 36 ++++++------------------------------
>  include/linux/xattr.h    |  1 -
>  4 files changed, 18 insertions(+), 44 deletions(-)
>
> -- 
> 2.51.0
>
>
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260409/01f68038/attachment-0001.sig>

More information about the kernel-team mailing list