Your submission was sent successfully! Close

CVE-2020-16120

Published: 13 October 2020

Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef ("ovl: stack file ops"). This was fixed in kernel version 5.8 by commits 56230d9 ("ovl: verify permissions in ovl_path_open()"), 48bd024 ("ovl: switch to mounter creds in readdir") and 05acefb ("ovl: check permission to open real file"). Additionally, commits 130fdbc ("ovl: pass correct flags for opening real directory") and 292f902 ("ovl: call secutiry hook in ovl_real_ioctl()") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da ("ovl: do not fail because of O_NOATIMEi") in kernel 5.11.

From the Ubuntu security team

Giuseppe Scrivano discovered that the overlay file system in the Linux kernel did not properly perform permission checks in some situations. A local attacker could possibly use this to bypass intended restrictions and gain read access to restricted files.

Mitigation

disable unprivileged user namespaces if not needed via
  sudo sysctl kernel.unprivileged_userns_clone=0
do this permanently by adding
  kernel.unprivileged_userns_clone = 0
to /etc/sysctl.d/99-userns.conf
Priority

Medium

CVSS 3 base score: 4.4

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-121.123)
focal
Released (5.4.0-51.56)
groovy Not vulnerable
(5.8.0-16.17)
hirsute Not vulnerable
(5.8.0-36.40+21.04.1)
precise Ignored
(was needs-triage ESM criteria)
trusty Ignored
(was needs-triage ESM criteria)
upstream
Released (5.8~rc1)
xenial Ignored
(was needed now end-of-life)
linux-aws
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1086.91)
focal
Released (5.4.0-1028.29)
groovy Not vulnerable
(5.8.0-1004.4)
hirsute Not vulnerable
(5.8.0-1018.20+21.04.1)
precise Does not exist

trusty Ignored
(was needs-triage ESM criteria)
upstream
Released (5.8~rc1)
xenial Ignored
(was needed now end-of-life)
linux-aws-5.0
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-aws-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-aws-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1028.29~18.04.1)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-aws-hwe
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial
Released (4.15.0-1085.90~16.04.1)
linux-azure
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal
Released (5.4.0-1031.32)
groovy Not vulnerable
(5.8.0-1004.4)
hirsute Not vulnerable
(5.8.0-1016.17+21.04.1)
precise Does not exist

trusty
Released (4.15.0-1098.109~14.04.1)
upstream
Released (5.8~rc1)
xenial
Released (4.15.0-1098.109~16.04.1)
linux-azure-4.15
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1099.110)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-azure-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-azure-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1031.32~18.04.1)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-azure-edge
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-dell300x
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(4.15.0-1005.8)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-gcp
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal
Released (5.4.0-1028.29)
groovy Not vulnerable
(5.8.0-1002.2)
hirsute Not vulnerable
(5.8.0-1015.15+21.04.1)
precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial
Released (4.15.0-1086.98~16.04.1)
linux-gcp-4.15
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1086.98)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-gcp-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-gcp-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1028.29~18.04.1)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-gcp-edge
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-gke-4.15
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1072.76)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-gke-5.0
Launchpad, Ubuntu, Debian
bionic
Released (5.0.0-1049.50)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-gke-5.3
Launchpad, Ubuntu, Debian
bionic
Released (5.3.0-1038.40)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-gke-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1027.28~18.04.1)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-gkeop
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Not vulnerable
(5.4.0-1008.9)
groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-gkeop-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1003.3)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-hwe
Launchpad, Ubuntu, Debian
bionic
Released (5.3.0-68.63)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial
Released (4.15.0-120.122~16.04.1)
linux-hwe-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-51.56~18.04.1)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-hwe-5.8
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Not vulnerable
(5.8.0-23.24~20.04.1)
groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-hwe-edge
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Ignored
(was needs-triage now end-of-life)
linux-kvm
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1077.79)
focal
Released (5.4.0-1026.27)
groovy Not vulnerable
(5.8.0-1001.1)
hirsute Not vulnerable
(5.8.0-1010.11+21.04.1)
precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Ignored
(was needed now end-of-life)
linux-lts-trusty
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Ignored
(was needs-triage ESM criteria)
trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-lts-xenial
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Ignored
(was needs-triage ESM criteria)
upstream
Released (5.8~rc1)
xenial Does not exist

linux-oem
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1099.109)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Ignored
(was needs-triage now end-of-life)
linux-oem-5.10
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Not vulnerable
(5.10.0-1008.9)
groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-oem-5.6
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (5.6.0-1031.32)
groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-oem-osp1
Launchpad, Ubuntu, Debian
bionic
Released (5.0.0-1069.75)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-oracle
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1057.62)
focal
Released (5.4.0-1028.29)
groovy Not vulnerable
(5.8.0-1001.1)
hirsute Not vulnerable
(5.8.0-1014.14+21.04.1)
precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial
Released (4.15.0-1056.61~16.04.1)
linux-oracle-5.0
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-oracle-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(was needs-triage now end-of-life)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-oracle-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1028.29~18.04.1)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-raspi
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (5.4.0-1021.24)
groovy Not vulnerable
(5.8.0-1002.5)
hirsute Not vulnerable
(5.8.0-1008.11+21.04.1)
precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-raspi-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1021.24~18.04.1)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-raspi2
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1073.78)
focal Ignored
(was needs-triage now end-of-life)
groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Ignored
(was needed now end-of-life)
linux-raspi2-5.3
Launchpad, Ubuntu, Debian
bionic
Released (5.3.0-1035.37)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-riscv
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (5.4.0-36.41)
groovy Not vulnerable
(5.8.0-1.1)
hirsute Not vulnerable
(5.8.0-10.12+21.04.1)
precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Does not exist

linux-snapdragon
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1089.98)
focal Does not exist

groovy Does not exist

hirsute Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (5.8~rc1)
xenial Ignored
(was needed now end-of-life)

Notes

AuthorNote
sbeattie
this issue most likely only has an impact on Ubuntu systems
as it is dependent on both unprivileged user namespaces being enabled
as well as a non-upstream patch that allows overlayfs mounts in user
namespaces.
the backport of this issue introduced a regression, LP: #1900141

References

Bugs