[SRU][J][PATCH 0/2] CVE-2023-2640 and CVE-2023-32629

[Massimiliano Pellizzer]

[ Impact ]

An unprivileged local user can obtain root privileges by exploiting the
OverlayFS copy-up path. By setting scoped file capabilities inside a user
namespace and triggering a copy-up, the kernel writes unscoped (globally
effective) capabilities to the upper directory via __vfs_setxattr_noperm(),
bypassing cap_convert_nscap(). The resulting binary grants any chosen
capability to any user who executes it.

[ Fix ]

The first patch reverts the SAUCE patch that replaced vfs_setxattr() with
__vfs_setxattr_noperm() in ovl_do_setxattr(), restoring full VFS
permission checks and security transformations (including
cap_convert_nscap()) for all OverlayFS xattr operations.

The second patch applies a new SAUCE patch that auto-enables
the "userxattr" mount option when OverlayFS is mounted from a non-initial
user namespace, switching internal metadata to the unprivileged
user.overlay.* namespace. This preserves unprivileged mount functionality
without bypassing the VFS security layer.

[ Test Plan ]

The patchset has been tested, security wise, using multiple available
known exploits.
Moreover, the patchset has been tested with the following bash script
to make sure it does not introduce any regression in functionalities:
```
  #!/bin/sh -ex
  dir=`mktemp -d`

  cleanup() {
    umount -l $dir/t
    rm -rf $dir
  }
  trap cleanup EXIT

  echo "dir is $dir"
  mkdir -p $dir/l $dir/u $dir/w $dir/t
  mkdir $dir/l/dev
  mount -t overlay -o lowerdir=$dir/l,upperdir=$dir/u,workdir=$dir/w o $dir/t
  stat $dir/t/dev
  rmdir $dir/t/dev
  mkdir $dir/t/dev
  echo $?
  echo "mkdir should have succeeded"
```

[ Regression Potential ]

Reverting the first SAUCE patch re-enables VFS permission checks on all
OverlayFS xattr writes. Without patch 2, any unprivileged user namespace
OverlayFS mount would fail with EPERM on trusted.overlay.* writes. Patch 2
mitigates this by redirecting to user.overlay.*.
A regression is possible if existing overlays on disk carry trusted.overlay.*
xattrs written by a prior kernel.
Newly created overlays are unaffected. Container runtimes operating as real root
are also unaffected as they mount from init_user_ns.


Massimiliano Pellizzer (2):
  UBUNTU: SAUCE: Revert "UBUNTU: SAUCE: overlayfs: Skip permission
    checking for trusted.overlayfs.* xattrs"
  UBUNTU: SAUCE: overlayfs: default to userxattr when mounted from non
    initial user namespace

 fs/overlayfs/overlayfs.h | 15 ++-------------
 fs/overlayfs/super.c     | 10 ++++++++++
 fs/xattr.c               | 36 ++++++------------------------------
 include/linux/xattr.h    |  1 -
 4 files changed, 18 insertions(+), 44 deletions(-)

-- 
2.51.0