Received: by 2002:ab2:7a09:0:b0:1f8:46dc:890e with SMTP id k9csp147407lqo; Wed, 15 May 2024 09:59:34 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX63OS/qFU/X1XSbpmPS39XMxDGStHWCfnWIrF27e1Q0GPQd8UG7THATtPm/V5KI8rX0QTljUlgjDVcRd63v3kbLLkWlJrB0DsLLUqaXg== X-Google-Smtp-Source: AGHT+IFVWrvmjsEWrZr7XOEJ8PuF/8/h3ETBjKBgRpOAqgk9PA27jDC0TmWe2YfLC3efI04R7P3f X-Received: by 2002:a05:6a20:914f:b0:1ac:f796:963c with SMTP id adf61e73a8af0-1afde1ddaa9mr20629324637.56.1715792374341; Wed, 15 May 2024 09:59:34 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715792374; cv=pass; d=google.com; s=arc-20160816; b=mHdOvKXYO3+8uzy22mvns3Sv2P51ejDeQ7jmf4yvuxR7Nv2J/jOy+mfG0vD6/3r4/k ewO1gDVYMx6KuSbzjAFaDDqhuPl99MxTEsGrfBNcCMKXyqA9mVQ1RLyGX/QwF8jQsLMW wAVwr5KDXR4MCKuLejJwAv0IKS8DUqAIIMTViv0NKIQUBOrhFpip3H16dcQEw6rbDn8G cavlDLWYxbm1B+oWSBUUAA4Z9Gj7uw85WxVdaMjjtPhlw6Qjt4P0WowALSewm4EH52Ng hC6IVxUhfk3t8mfH1MJrMyWQtqKCdrvaLMUcmvHLL8bukBbDtjI3ri761Gq8MKU408L4 QoCw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=8laDA93vckp7ui9akv5kiYEJeEf58oy9QPyC1finKw0=; fh=Q5SC8SDyEOgyNWTOSTqyp0Wbf52IqtPSQhIO/CNbEIw=; b=kcMC90TU6x5AKtCVgASzDz4HlXRGvo/41dB3pw0IfweMC1ciUtjyYWSo+GtAt1YOws ABIbKHcJhDV5xGKOaStZRDbx1SZEQxCgSGFNPztTHkQhk1pRK+grdhxRChFDn/Vpyj+f onxXtTMDh9xA/kb9+5/mLhcrgY/qADWZWeDb7AYGlb3XJZGnJ5uMAu0apNAqPCsE+8n7 bqXM5cYKM2mO7KQPK9Mmbf94/4VYg3Idit9koaBiE3mvXMxsE7Lk9AJDmmn6HWQ1dXZD l0QPraJNdbUIXJ+BNyngBJMvzZF9tGN/FfLICAYrKSJCZiMBllpOZut1XcdI2JylEV+3 NTaQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=b+Nq9kZS; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-180178-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-180178-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id 41be03b00d2f7-634103f6a1esi15204203a12.364.2024.05.15.09.59.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 May 2024 09:59:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-180178-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=b+Nq9kZS; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-180178-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-180178-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id D2189B22D61 for ; Wed, 15 May 2024 16:59:12 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3B2D94CB30; Wed, 15 May 2024 16:58:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="b+Nq9kZS" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6170F45014; Wed, 15 May 2024 16:58:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715792319; cv=none; b=RAXwxAJX0tfSjdV7DHrp+xNh4Lw8XJsijforg8Wqhetb31WwVqfGfczhZxTctTlKocI0l8GpbdP8Dhzc5J6WlFsMXPF1MZlwe36cufX/WlBu3Fs6keB8g+CZpAmOI0fOVuPKny+/INEvkkKaEk2z4vfsKZwxoTYS8Zdl0uFkUXU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715792319; c=relaxed/simple; bh=SG+F31jcchOBQl/TZikHS/uKvjZSzf5ZwHECGYyIEVk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=nBttaQfcsDa92gUNVZedXUGan1o5QwiykYsfs8la5lkOc7qFrHCb0sxZPP/oo665A3u4a1mVIHeBeAJfQhy2ezrD8R+p6Py1rQXAQxPRj3ITEJBuIcffg9Y/Gx8y/CBwNuA07yJe3RxMKsZwx0iIoi7mDbh4I7WELRAGtAfkLJM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=b+Nq9kZS; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id CFB73C32786; Wed, 15 May 2024 16:58:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1715792319; bh=SG+F31jcchOBQl/TZikHS/uKvjZSzf5ZwHECGYyIEVk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=b+Nq9kZSDD52tdIndEozwKQEkAzd5h/sRXMTJWCPgVuo/ZK1pHfufWyEoSDkwHeyp uETfCfvlkkJfTZFGqHxMD+GJoZUYumSd6FMfjAV5zFApfY7viklsH3PA9F40cmAw/C u/0iyVcib49gOPLvBk6H385gdrC31Xw7D0lzpKVbkPOU/0GMPfoPoMsuQIElTrmGGz aJdJ7LEIBr3zeths6JOBqg5H7md2TfGcQ09Bceu+1hIZLfRwutFym5Kd8gMnr7JDK7 wiaE/YIwjahELhqpy/AKh2WcZE7ucJVkghNdIOgW5SBWOu0zqfL9Sp+OOkTaDY5rfT WyrGOaSvtGFZQ== Date: Wed, 15 May 2024 18:58:38 +0200 From: Christian Brauner To: Anthony Iliopoulos Cc: Greg Kroah-Hartman , cve@kernel.org, linux-kernel@vger.kernel.org, linux-cve-announce@vger.kernel.org Subject: Re: CVE-2024-26821: fs: relax mount_setattr() permission checks Message-ID: <20240515-faken-gebohrt-b7c4731929fe@brauner> References: <2024041702-CVE-2024-26821-de6b@gregkh> <20240514124939.77984-1-ailiop@suse.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20240514124939.77984-1-ailiop@suse.com> On Tue, May 14, 2024 at 02:49:39PM +0200, Anthony Iliopoulos wrote: > On Wed, Apr 17, 2024 at 11:44:04AM +0200, Greg Kroah-Hartman wrote: > > Description > > =========== > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > fs: relax mount_setattr() permission checks > > > > When we added mount_setattr() I added additional checks compared to the > > legacy do_reconfigure_mnt() and do_change_type() helpers used by regular > > mount(2). If that mount had a parent then verify that the caller and the > > mount namespace the mount is attached to match and if not make sure that > > it's an anonymous mount. > > > > The real rootfs falls into neither category. It is neither an anoymous > > mount because it is obviously attached to the initial mount namespace > > but it also obviously doesn't have a parent mount. So that means legacy > > mount(2) allows changing mount properties on the real rootfs but > > mount_setattr(2) blocks this. I never thought much about this but of > > course someone on this planet of earth changes properties on the real > > rootfs as can be seen in [1]. > > > > Since util-linux finally switched to the new mount api in 2.39 not so > > long ago it also relies on mount_setattr() and that surfaced this issue > > when Fedora 39 finally switched to it. Fix this. > > > > The Linux kernel CVE team has assigned CVE-2024-26821 to this issue. > > This one probably needs to be disputed as it isn't an actual > vulnerability, but rather a fix for the mount_setattr which previously > didn't allow reconfiguring the real rootfs similar to what the mount > syscall always allowed to do. > > So it merely brings mount_attr up to par with mount in terms of allowing > the real rootfs to be reconfigured. > > Christian, what do you think ? Yeah, it's not security related at all. It just allows _additional_ functionality. Not sure how that ended up on the CVE list. Thanks for pinging about this!