[Bug 1507463] Re: OverlayFS: Wrong mnt_id and path reported in /proc in linux-3.13

Wed Oct 21 13:34:18 UTC 2015

I retested using lxc-1.1.4 from the lxc-stable ppa
(https://launchpad.net/~ubuntu-lxc/+archive/ubuntu/lxc-stable) which I
added to a fresh vm image from the daily-builds, https://cloud-
images.ubuntu.com/trusty/current.

"lxc-start -n trusty_overlay" fails as before, with the same error
message,

ERROR    lxc_utils - utils.c:safe_mount:1641 - Permission denied - Failed to mount /home/ubuntu/test.txt onto /usr/lib/x86_64-linux-gnu/lxc/home/ubuntu/test.txt
ERROR    lxc_conf - conf.c:mount_entry:1731 - Permission denied - failed to mount '/home/ubuntu/test.txt' on '/usr/lib/x86_64-linux-gnu/lxc/home/ubuntu/test.txt'
ERROR    lxc_conf - conf.c:lxc_setup:3745 - failed to setup the mount entries for 'trusty_overlay'

Chris, it would be of interest to see whether you can reproduce the
underlying kernel bug using this script,

#!/bin/bash
fatal() { echo "error: $@"; exit 1; }

echo -e "testing for overlayfs kernel bug in kernels <= 3.17.";
echo -e "(This script does not work for the newer version of overlayfs in kernels 3.18+)";

mkdir test_dir                    || fatal "mkdir test_dir";
sudo mount -t tmpfs none test_dir || fatal "mount tmpfs";
cd test_dir;
mkdir lowerdir upperdir overlayfs;
sudo mount -t overlayfs -o lowerdir=lowerdir,upperdir=upperdir none overlayfs || fatal "mount overlayfs";

exec 6> file_tmpfs.txt;
exec 7> lowerdir/file_lowerdir.txt;
exec 8> upperdir/file_upperdir.txt;
exec 9> overlayfs/file_overlayfs.txt;

echo -e "\ncontents of /proc/$BASHPID/fd/ .  A broken symbolic link to file_overlayfs.txt indicates a kernel bug";
echo "--------------------------------------------------------------------------------------------------------";
file /proc/$BASHPID/fd/[6-9];

# cleanup
exec 9>&-;
exec 8>&-;
exec 7>&-;
exec 6>&-;
sudo umount overlayfs;
cd ..;
sudo umount test_dir && rmdir test_dir;
#----------end of script

Running the script as root, sudo ./script, I get the following output,

  testing for overlayfs kernel bug in kernels <= 3.17.
  (This script does not work for the newer version of overlayfs in kernels 3.18+)

  contents of /proc/1916/fd/ .  A broken symbolic link to file_overlayfs.txt indicates a kernel bug
  --------------------------------------------------------------------------------------------------------
  /proc/1916/fd/6: symbolic link to `/home/ubuntu/test_dir/file_tmpfs.txt' 
  /proc/1916/fd/7: symbolic link to `/home/ubuntu/test_dir/lowerdir/file_lowerdir.txt' 
  /proc/1916/fd/8: symbolic link to `/home/ubuntu/test_dir/upperdir/file_upperdir.txt' 
  /proc/1916/fd/9: broken symbolic link to `/file_overlayfs.txt'

It seems that the kernel bug is causing fd 9 to point to
/file_overlayfs.txt, when it should point to
/home/ubuntu/test_dir/overlayfs/file_overlayfs.txt .

The lxc commit which introduced safe_mount(), which passes fd's as
arguments to mount() is,

CVE-2015-1335: Protect container mounts against symlinks
https://github.com/lxc/lxc/commit/6de26af93d3dd87c8b21a42fdf20f30fa1c1948d

Here is the relevant part of the commit, which creates a file descriptor
and passes it to mount().

+	destfd = open_without_symlink(dest, rootfs);
+	if (destfd < 0) {
+		if (srcfd != -1)
+			close(srcfd);
+		return destfd;
+	}
+
+	ret = snprintf(destbuf, 50, "/proc/self/fd/%d", destfd);
+	if (ret < 0 || ret > 50) {
+		if (srcfd != -1)
+			close(srcfd);
+		close(destfd);
+		ERROR("Out of memory");
+		return -EINVAL;
+	}
+
+	ret = mount(mntsrc, destbuf, fstype, flags, data);

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1335

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1507463

Title:
  OverlayFS: Wrong mnt_id and path reported in /proc in linux-3.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1507463/+subscriptions