lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <tencent_314614C52C64DDE971D2129B@qq.com>
Date:   Wed, 19 Apr 2017 11:05:27 +0800
From:   "iceboy" <iceboy@...boy.org>
To:     "linux-kernel" <linux-kernel@...r.kernel.org>
Subject: Potential bug in path handling

I found this while writing a simple sandbox. Script to reproduce: https://gist.github.com/iceb0y/93e77e6945019d8a863b452e18a18079

In the `bugbox`:

bugbox-4.3$ ls bin
(you get the files in /bin)

however

bugbox-4.3$ ls ../bin
(nothing)

Tried with latest 4.11 kernel. The problem occurs when you bind mount `/` to itself, and then remount it. Looks like one of the mount namespace, bind mount or pivot_root is mishandling root barrier, causing `../bin` referencing to the `bin` directory instead of the bind mount. This could be a security problem.

Any idea on what's the problem, or how to debug this?

* Dependencies of `bugbox`:
python 2 or 3
the `butter` package for syscall (sorry)
/bin /lib and /lib64 on your system are real, not symlinks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ