Nasty Linux kernel bug found and fixed

Most reported Linux “security” bugs aren’t actually Linux bugs. For example, security vendor CrowdStrike’s report on the largest Linux-based malware families was actually about system administration security errors with telnet, SSH, and Docker, not Linux at all. But that doesn’t mean that Linux doesn’t have security vulnerabilities. For example, a nasty new Linux kernel problem has just surfaced.
In it, there is a heap overflow bug in legacy_parse_param in the linux kernel fs/fs_context.c program. This parameter is used in Linux filesystems when creating the superblock for mounting and reconfiguring the superblock for remounting. Superblock records all characteristics of a file system such as file size, block size, empty and filled storage blocks. So, yes, it is important.
The legacy_parse_param() calculation “PAGE_SIZE – 2 – size” was mistakenly defined as an unsigned type. This means that a large “size” value gives a large positive value instead of a negative value as expected. Whoops.
This, in turn, meant that you are copying data beyond the memory slab allocated to it. And, as all programmers know, writing beyond the memory your program is supposed to have access to is a terrible thing.
One of the main reasons why Rust is built into Linux is because Rust makes this type of memory error much harder to do. As all C developers know, it’s all too easy to stumble over memory allocation in a C program.
So how bad is it? According to the CVSS (Common Vulnerability Scoring System) v3.1 scoring test, it’s a solid 7.7. This is considered a high security vulnerability.
A local attacker can use it to elevate user privileges or crash the system. This can be done with a specially crafted program that triggers this integer overflow. Having done this, it is trivial to execute arbitrary code and give the attacker root privileges.
To use it, the CAP_SYS_ADMIN privilege must be enabled. If so, an unprivileged local user can open a file system that does not support the File System Context application programming interface (API). In this situation, it reverts to legacy management, and from there the flaw can elevate an attacker’s system privileges.
Exploitation is not as difficult to do as one might think. Its discoverer, Linux kernel developer William Liu, reports that he has created exploits against Ubuntu 20.04 and container escape exploits against Google’s Container-Optimized (COS) hardened.
This security flaw was introduced on February 28, 2019 in Linux kernel 5.1-rc1. It is now present in all Linux kernels. Yes, all. Fortunately, the patch is in place.
You can also disable it by disabling user namespaces by setting user.max_user_namespaces to with the following shell code on Red Hat Linux family.
- echo “user.max_user_namespaces=0” > /etc/sysctl.d/userns.conf
- sysctl -p /etc/sysctl.d/userns.conf
On Ubuntu and related distributions, you can protect your system with this shellcode:
- sysctl -w kernel.unprivileged_userns_clone=0
However, keep in mind that you must have a namespace available on containerized Linux distributions, such as Red Hat OpenShift Container Platform, as this feature must be enabled. In these circumstances, you will need to patch your Linux distribution as soon as your distributor makes the patch available.
Stay safe, stay patched.
Related stories: