Received: by 2002:ab2:7855:0:b0:1f9:5764:f03e with SMTP id m21csp1017076lqp; Thu, 23 May 2024 06:58:49 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVlcmW5NkrWXms1x9YYwBv2g95PcjpE8wR72OSW1IUYKFNozVxlu5R29/A56hU6aN/u65O3+qlfkGrNn43LBzC1Uk5E3AV/uuD1dGUyTQ== X-Google-Smtp-Source: AGHT+IH0BxonqTb3lbCuupFzCfvo1e7inAZsepxYtZw8CIX3tUzJPjG7UJhweVQwqyu0ccsZoiyW X-Received: by 2002:a17:903:32d2:b0:1e2:577:f694 with SMTP id d9443c01a7336-1f31c9e1890mr55989075ad.61.1716472728838; Thu, 23 May 2024 06:58:48 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716472728; cv=pass; d=google.com; s=arc-20160816; b=rym5hmyOD8g2RHx6fSCDouuIf5ixTRjIKGRTOsMPOLtphKYWtqQBjRi+6mUmSGSHr+ bvmpwXBojZ5rLCb0bYwW0e3enueO3fL4lqC4eadpYLoDsqdlo+mpxtOa16ZKHG7qC60r hOsXaUfFi2babhgcwNGLy/Z+c423wQYa9gB0K8KkkW99OPQE3VwR9XzarClaAMIvdWts I5VdMoQO+1FXxs3O0/m298zdXp7LGo0KIV5jAzMhJP17K/limMWgOS+oOz5S5Xu6U5Vq HIEo95twhIIHPINoLA0O6qR00LZq6xA13NK/2upeUFWvO1nt0Rd8t54Wq0T710RoLrSy +NLQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=Cci/KLbl4/WTB+42n27pMbyAyATINi9IVODm3VHD720=; fh=OKbjSAja7o4+GcDZKTyN1IGVJU5hSmH2aT8XhRQwyA0=; b=PpJhU1XcYX3JtFe4a91N9Fvc7fGNtpMikXkF+P4OUbYWqQqGPQXMuiP7oRKFLEDvaS 2+2Mfyk0QjdpS9hoGJQJOFIfVrn380xOVbPcCO0W1S1IgKc6XAE0vF76wZffBU5OdMrg CE4RDtrQsRvbPHBRKyg4JMp6zrgeZvQ6gJ9w0R3nhenaXzXi2NZNzyxs4ajbAX7mcr+0 LHDAUlFw8aQaXX/IH9OtGji6S+atE0WNJLr8gRW47xOrgemCY5d4nxUR8MJqkN2i7AL4 oAeXi4yt8eEzTCks90zKWoDv37n7Km1kV5NjAw2DP3KAeB9ghSJmDggQm8pjnJKqg0Tw I8iQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=pRmMHcdz; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-187601-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-187601-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id d9443c01a7336-1f3354ad7a7si18800585ad.363.2024.05.23.06.58.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 May 2024 06:58:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-187601-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=pRmMHcdz; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-187601-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-187601-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id BD054B22FF3 for ; Thu, 23 May 2024 13:56:59 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B8C8314AD36; Thu, 23 May 2024 13:56:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="pRmMHcdz" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB74014A633; Thu, 23 May 2024 13:56:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716472608; cv=none; b=uVfhFDOpOPP310qx+qhLnEpvlclR4bI031jTV01oZby8rGty1o0taZOkRnrH9JVaKMlIkGynAylKK416XOJGa7XCZ5FL9A7Z0a1ip/5cPcP6mvcoiOlLB3mQ4p3KZmqRslS4hZfmDwRyu93yBCeeVtWyepV6vaMe1kwXtX9Fpdg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716472608; c=relaxed/simple; bh=NuGhr7Ze7oZ7xDZ++e/nLZxv4dxcfSFOl8w0DFD5S6c=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=D7fezIXwYNRffMrFVetlklGa/h4xyDyysk7zqYfxRoA0jmeczqYxz7NICp+pX1feuWvyTuob4ePzwWGrX65ZzQdfcIu4XE+Wz4DdWNoDa6QDrOSGy8E2e55ce15tDda9COY4VR/co0YoLkrw22YoXwmgH7VPliEIaYsGpqs2MiQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=pRmMHcdz; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2BC72C2BD10; Thu, 23 May 2024 13:56:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1716472607; bh=NuGhr7Ze7oZ7xDZ++e/nLZxv4dxcfSFOl8w0DFD5S6c=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=pRmMHcdzxoOXIAaz8SdoAhI2O380ggQ33OGHfk4iNl3FF6g6KiTpVEoD9V4H8AbPn ZeAxGAvkzLcg8PYIa6vJt+8I0mSmvAPnS3IPc7QKIlvkILvX8c2NQ2w2IguWnif2mE CqdsDGCmdbYrcf+JVtfnsiXIhcimsD3pYxsrJm6E= Date: Thu, 23 May 2024 15:56:44 +0200 From: Greg Kroah-Hartman To: Anthony Iliopoulos Cc: Christian Brauner , cve@kernel.org, linux-kernel@vger.kernel.org, linux-cve-announce@vger.kernel.org Subject: Re: CVE-2024-26821: fs: relax mount_setattr() permission checks Message-ID: <2024052328-favorably-gesture-7495@gregkh> References: <2024041702-CVE-2024-26821-de6b@gregkh> <20240514124939.77984-1-ailiop@suse.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240514124939.77984-1-ailiop@suse.com> On Tue, May 14, 2024 at 02:49:39PM +0200, Anthony Iliopoulos wrote: > On Wed, Apr 17, 2024 at 11:44:04AM +0200, Greg Kroah-Hartman wrote: > > Description > > =========== > > > > In the Linux kernel, the following vulnerability has been resolved: > > > > fs: relax mount_setattr() permission checks > > > > When we added mount_setattr() I added additional checks compared to the > > legacy do_reconfigure_mnt() and do_change_type() helpers used by regular > > mount(2). If that mount had a parent then verify that the caller and the > > mount namespace the mount is attached to match and if not make sure that > > it's an anonymous mount. > > > > The real rootfs falls into neither category. It is neither an anoymous > > mount because it is obviously attached to the initial mount namespace > > but it also obviously doesn't have a parent mount. So that means legacy > > mount(2) allows changing mount properties on the real rootfs but > > mount_setattr(2) blocks this. I never thought much about this but of > > course someone on this planet of earth changes properties on the real > > rootfs as can be seen in [1]. > > > > Since util-linux finally switched to the new mount api in 2.39 not so > > long ago it also relies on mount_setattr() and that surfaced this issue > > when Fedora 39 finally switched to it. Fix this. > > > > The Linux kernel CVE team has assigned CVE-2024-26821 to this issue. > > This one probably needs to be disputed as it isn't an actual > vulnerability, but rather a fix for the mount_setattr which previously > didn't allow reconfiguring the real rootfs similar to what the mount > syscall always allowed to do. > > So it merely brings mount_attr up to par with mount in terms of allowing > the real rootfs to be reconfigured. Yes, it fixes a problem where the system could not be booted properly without this fix. > Christian, what do you think ? I'll defer to Christian if this CVE should be revoked or not. thanks, greg k-h