CVE-2019-19921 re-introduction/regression

[Beuc]

Hi,

I'm part of the Debian Long Term Support (LTS) team, and I'm currently working on an update for package runc.

As explained in #2197 (comment) , while working on fixing CVE-2019-19921, I noticed the fix was apparently broken by the one for CVE-2021-30465 (0ca91f4).

I can reproduce the issue with branch main, using the original reproducer from #2197 (host's proc/sys/kernel/core_pattern overwritten from container-2 after a few tries).

Because various GNU/Linux distributions have incorporated the initial fix (or upgraded runc), and marked the security issue "fixed", I would recommend registering a new CVE to indicate that a follow-up fix is needed.
Do you confirm?

Thanks and best regards.

[thaJeztah]

/cc @samuelkarp @opencontainers/runc-maintainers

[carnil]

CVE-2023-27561 is the new CVE.

[AkihiroSuda]

Thank you for reporting this, but next time please follow https://github.com/opencontainers/runc/blob/main/SECURITY.md before disclosure.

[AkihiroSuda]

Trying to follow the repro steps in https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9 , but still I can't repro locally. (EDIT: reproducible on Ubuntu too, after attempting hundreds of times)

Tested the current main branch 69225fa and v1.1.4, on Ubuntu 22.10 (kernel 5.19.0-31-generic), amd64.

[AkihiroSuda]

Seems reproducible on Debian 11 (kernel 5.10.0-21-amd64). Maybe related to the kernel version?
(EDIT: reproducible on Ubuntu too, after attempting hundreds of times)

[g0dA]

No, I don't think it has anything to do with the kernel version, it's just because SYS_renameat2 was successfully executed through competition before the execution of readonlyPath()

1. Delay the execution of readonlyPath() by modifying the source code
2. Executing SYS_renameat2 twice can successfully reproduce

[g0dA]

Ps. Add the test steps that I did not modify the code

v1.1.4, on Arch(kernel 6.1.9-arch1-1)
follow the repro steps in https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9

1. run pwn in container-1
2. then create container-2 in other shell

for i in {0..150}
sudo runc create test-${i}

3. runc list

ID            PID         STATUS      BUNDLE                                    CREATED                          OWNER
container-1   3094        created     /home/lang/Desktop/seccheck/container-1   2023-03-05T04:41:32.637528085Z   root
test-132      11887       created     /home/lang/Desktop/seccheck/container-2   2023-03-05T05:35:55.707083185Z   root
test-137      11972       created     /home/lang/Desktop/seccheck/container-2   2023-03-05T05:35:55.822176563Z   root
test-33       0           stopped     /home/lang/Desktop/seccheck/container-2   2023-03-05T05:35:53.207528822Z   root
test-82       0           stopped     /home/lang/Desktop/seccheck/container-2   2023-03-05T05:35:54.477270492Z   root
test-96       0           stopped     /home/lang/Desktop/seccheck/container-2   2023-03-05T05:35:54.831671262Z   root

There are two things to note:

1. The permissions of /tmp/poc will cause SYS_renameat2 to fail
2. The continuous operation of pwn will affect the already created container-2 to fail

[AkihiroSuda]

PR:

• rootfs: prohibit symlinks that conflicts with readonlyPaths and/or maskedPaths to prevent CVE-2023-27561 #3756

EDIT: replaced by

• Prohibit /proc and /sys to be symlinks #3773

[ssst0n3]

Why there's no advisory under https://github.com/opencontainers/runc/security/advisories ?

[AkihiroSuda]

Why there's no advisory under https://github.com/opencontainers/runc/security/advisories ?

Because the CVE was published by somebody outside us, and we haven't released the fix (#3756 #3773) yet.

[Beuc]

Works for me (behavior back to filesystem \\\\\\\"proc\\\\\\\" must be mounted on ordinary directory), thanks!