Potential bug in path handling

From: iceboy
Date: Tue Apr 18 2017 - 23:06:32 EST

Next message: Samuel Holland: "padata & workqueue list corruption"
Previous message: Andrey Smirnov: "Re: [PATCH v2 3/3] mtd: dataflash: Make use of "extened device information""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I found this while writing a simple sandbox. Script to reproduce: https://gist.github.com/iceb0y/93e77e6945019d8a863b452e18a18079

In the `bugbox`:

bugbox-4.3$ ls bin
(you get the files in /bin)

however

bugbox-4.3$ ls ../bin
(nothing)

Tried with latest 4.11 kernel. The problem occurs when you bind mount `/` to itself, and then remount it. Looks like one of the mount namespace, bind mount or pivot_root is mishandling root barrier, causing `../bin` referencing to the `bin` directory instead of the bind mount. This could be a security problem.

Any idea on what's the problem, or how to debug this?

* Dependencies of `bugbox`:
python 2 or 3
the `butter` package for syscall (sorry)
/bin /lib and /lib64 on your system are real, not symlinks

Next message: Samuel Holland: "padata & workqueue list corruption"
Previous message: Andrey Smirnov: "Re: [PATCH v2 3/3] mtd: dataflash: Make use of "extened device information""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]