Cover Letter Detail

HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2218233,
    "url": "http://patchwork.ozlabs.org/api/covers/2218233/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260331182602.64469-1-massimiliano.pellizzer@canonical.com/",
    "project": {
        "id": 15,
        "url": "http://patchwork.ozlabs.org/api/projects/15/?format=api",
        "name": "Ubuntu Kernel",
        "link_name": "ubuntu-kernel",
        "list_id": "kernel-team.lists.ubuntu.com",
        "list_email": "kernel-team@lists.ubuntu.com",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260331182602.64469-1-massimiliano.pellizzer@canonical.com>",
    "list_archive_url": null,
    "date": "2026-03-31T18:26:00",
    "name": "[SRU,J,0/2] CVE-2023-2640 and CVE-2023-32629",
    "submitter": {
        "id": 89057,
        "url": "http://patchwork.ozlabs.org/api/people/89057/?format=api",
        "name": "Massimiliano Pellizzer",
        "email": "massimiliano.pellizzer@canonical.com"
    },
    "mbox": "http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/20260331182602.64469-1-massimiliano.pellizzer@canonical.com/mbox/",
    "series": [
        {
            "id": 498238,
            "url": "http://patchwork.ozlabs.org/api/series/498238/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=498238",
            "date": "2026-03-31T18:26:00",
            "name": "CVE-2023-2640 and CVE-2023-32629",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/498238/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/covers/2218233/comments/",
    "headers": {
        "Return-Path": "<kernel-team-bounces@lists.ubuntu.com>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=ccItctEO;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4flc613BB4z1yCp\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 01 Apr 2026 05:27:05 +1100 (AEDT)",
            "from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1w7dnm-0007tF-Q5; Tue, 31 Mar 2026 18:26:58 +0000",
            "from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <massimiliano.pellizzer@canonical.com>)\n id 1w7dnl-0007lE-CS\n for kernel-team@lists.ubuntu.com; Tue, 31 Mar 2026 18:26:57 +0000",
            "from mail-lj1-f199.google.com (mail-lj1-f199.google.com\n [209.85.208.199])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 36FE03F365\n for <kernel-team@lists.ubuntu.com>; Tue, 31 Mar 2026 18:26:57 +0000 (UTC)",
            "by mail-lj1-f199.google.com with SMTP id\n 38308e7fff4ca-38ad2a699b7so37372871fa.3\n for <kernel-team@lists.ubuntu.com>; Tue, 31 Mar 2026 11:26:57 -0700 (PDT)",
            "from framework.ts.net (net-93-71-66-38.cust.vodafonedsl.it.\n [93.71.66.38]) by smtp.gmail.com with ESMTPSA id\n 38308e7fff4ca-38c836d3f25sm23444221fa.9.2026.03.31.11.26.54\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 31 Mar 2026 11:26:55 -0700 (PDT)"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1774981617;\n bh=Q2hQ5vyrGK1+arRtk6sz1rp5rp+CJAFezLgkz1Is5pk=;\n h=From:To:Subject:Date:Message-ID:MIME-Version;\n b=ccItctEOetOmQT5jczT70HI0a1l8m+TofQl989ZW1zulsHqGeb2B7c7jl3shIe0oU\n LPU7ITHYOUYqf5aJ7lFmQRYZhymdn2WO28HfmAu5nikOqq2ei3kD556V4dM4wVrps3\n /jtlC33en2R3Woi+jp3JWToqcNugmD5q5rCekxcE1oKAS4uAnsNeX3ZkfufzK3U8fM\n Y8vR+92cx8qEJD9g4mgFdO41Yke3gaIK+9Pf7V4wrtniHDTkJSdBhE7uDZnR32QIBJ\n ODqJbnkC6S3Z9Vn2mwVx0+vNAz4IwEDr/Ske1GXz6B/0X6DvWGD+l7NMgADFDJ39uH\n Im9NujuxPQH0RZ901nzROHNov+2E5eN9yp62nplSZWLZKWNQzVzWPO3LgMJDrVRHEk\n EnpCEu1GDCxrRgejPg5llc4t0VFQ4Yi6+70c9S1xls/YFyCSpNTMJbWs/C6jSqKJPV\n HGGgBnmbgWpCxJf9nD7iol6wUj1FirtDuZ5c05pHzQG1wMSPMaRzppglFVSlN6jyLI\n KGxbHjPpNV8dMBdVrzkje4VR5hvxK/UUqDrteQw0wDZSqSOG6mUslRnL4XwHoW4XPs\n TJ3dCfA3oP5GOt51b8HJuKF4SUzUCFL0QUiedyP8gKcww8tGiji3H8l8YVvqxUQ36R\n x2iu3m8SF3aKpkhcqGkFfTM4=",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1774981616; x=1775586416;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=Q2hQ5vyrGK1+arRtk6sz1rp5rp+CJAFezLgkz1Is5pk=;\n b=oPchEx2KnM/eXbRdDyl/XhzPBCidlJWARO1S+p/ZEcLbZdoNAt+qju+qN8xlIOM0yF\n tfKOo+2z2947ZY5MCdnKvsqcJoZodyEZyM2IK/bK0eSVWUeA5a2KzoQbYquqyG2kq+9a\n 5TpdARycUGrct3vjTz6/cj76OrjhUQhKd9phyL9m4nFvk6py72aM/lT2Le+Ry3ZuoZlf\n ZqHqFLLM+WH5je+lIGqinXM8kp+a3X9BpOFzLzt+U7AZlT8KIpz8HIljhw+El2v1QJ/m\n SpkDTWz6y2yxY/pGGkWWh4iDHuBjhLDrIGdzTbjVPR+k/b1V5LqY3TwStR3dLnI4vG1t\n YjfQ==",
        "X-Gm-Message-State": "AOJu0Yx/DI3G7ST6cWf5kngfqppLWduKmjYtA7p9WZ9VuO030hs/z3ln\n TKK27Hqyn5eVffo16ftujOheeZYiWMLAS44XhdR/mxsPmXty2iMg637uWNorJi9gkeS/fXMPHg3\n PSp0Fj215gvyyQjIYOzVbRFGdt3tEnyO0/Eh09tScdzAs5aAj1/VmFesoAP9QVMKZPkrjVgKJmx\n Rq3Y6unNkYHZsO1Q==",
        "X-Gm-Gg": "ATEYQzyrALNgMaJDXD2zocrOVwMFVEa0b0PCHXl51PGatWwJI+nM/+nvN6YZ4kYGxfz\n WZLtORn8ZgP1egLICijK2b56NoHjPVcqfE+suMk6pASacZ4r4fagvnKEI0JVLYFGn1JJiN21lHv\n AwSkRo5iIdPi9gfsOu9y8Q/aEW5GYsYtlVz/kCUPRiNGcGpoNUTDeou8pf45dJFAr+zjZSxegv/\n UateTDzsHNwDzp3QBbdhirNQH5aN2nrwOLy9bNZtCEnykBB3iYBCroccojuzcaLiQUFyDmA1y2o\n 50mYw22f7PMcMi+7YvYeMxWduccPHUIttpY+1epPmvePnstGkwKU7rkXLGNnWTsybGXTEkAhJgu\n QqqH81vwq4iP6xx6LVx3+nIiaARqmXziZkjb+5AXCao3nmcB3ZOfRrL6XPdSWvSS6rzhvFSY7Qf\n UyJQ6yW71HPoqOwbUgfAm5xIGwZSeMKD8gP2qGdTYW7U99U+3nNTaSQ1u8ZT6wctE25J/40Co=",
        "X-Received": [
            "by 2002:a05:651c:30e1:b0:387:e49:cd1d with SMTP id\n 38308e7fff4ca-38cc2fbfaa7mr892851fa.15.1774981616208;\n Tue, 31 Mar 2026 11:26:56 -0700 (PDT)",
            "by 2002:a05:651c:30e1:b0:387:e49:cd1d with SMTP id\n 38308e7fff4ca-38cc2fbfaa7mr892821fa.15.1774981615643;\n Tue, 31 Mar 2026 11:26:55 -0700 (PDT)"
        ],
        "From": "Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>",
        "To": "kernel-team@lists.ubuntu.com",
        "Subject": "[SRU][J][PATCH 0/2] CVE-2023-2640 and CVE-2023-32629",
        "Date": "Tue, 31 Mar 2026 20:26:00 +0200",
        "Message-ID": "<20260331182602.64469-1-massimiliano.pellizzer@canonical.com>",
        "X-Mailer": "git-send-email 2.51.0",
        "MIME-Version": "1.0",
        "X-BeenThere": "kernel-team@lists.ubuntu.com",
        "X-Mailman-Version": "2.1.20",
        "Precedence": "list",
        "List-Id": "Kernel team discussions <kernel-team.lists.ubuntu.com>",
        "List-Unsubscribe": "<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>",
        "List-Archive": "<https://lists.ubuntu.com/archives/kernel-team>",
        "List-Post": "<mailto:kernel-team@lists.ubuntu.com>",
        "List-Help": "<mailto:kernel-team-request@lists.ubuntu.com?subject=help>",
        "List-Subscribe": "<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>",
        "Content-Type": "text/plain; charset=\"utf-8\"",
        "Content-Transfer-Encoding": "base64",
        "Errors-To": "kernel-team-bounces@lists.ubuntu.com",
        "Sender": "\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"
    },
    "content": "[ Impact ]\n\nAn unprivileged local user can obtain root privileges by exploiting the\nOverlayFS copy-up path. By setting scoped file capabilities inside a user\nnamespace and triggering a copy-up, the kernel writes unscoped (globally\neffective) capabilities to the upper directory via __vfs_setxattr_noperm(),\nbypassing cap_convert_nscap(). The resulting binary grants any chosen\ncapability to any user who executes it.\n\n[ Fix ]\n\nThe first patch reverts the SAUCE patch that replaced vfs_setxattr() with\n__vfs_setxattr_noperm() in ovl_do_setxattr(), restoring full VFS\npermission checks and security transformations (including\ncap_convert_nscap()) for all OverlayFS xattr operations.\n\nThe second patch applies a new SAUCE patch that auto-enables\nthe \"userxattr\" mount option when OverlayFS is mounted from a non-initial\nuser namespace, switching internal metadata to the unprivileged\nuser.overlay.* namespace. This preserves unprivileged mount functionality\nwithout bypassing the VFS security layer.\n\n[ Test Plan ]\n\nThe patchset has been tested, security wise, using multiple available\nknown exploits.\nMoreover, the patchset has been tested with the following bash script\nto make sure it does not introduce any regression in functionalities:\n```\n  #!/bin/sh -ex\n  dir=`mktemp -d`\n\n  cleanup() {\n    umount -l $dir/t\n    rm -rf $dir\n  }\n  trap cleanup EXIT\n\n  echo \"dir is $dir\"\n  mkdir -p $dir/l $dir/u $dir/w $dir/t\n  mkdir $dir/l/dev\n  mount -t overlay -o lowerdir=$dir/l,upperdir=$dir/u,workdir=$dir/w o $dir/t\n  stat $dir/t/dev\n  rmdir $dir/t/dev\n  mkdir $dir/t/dev\n  echo $?\n  echo \"mkdir should have succeeded\"\n```\n\n[ Regression Potential ]\n\nReverting the first SAUCE patch re-enables VFS permission checks on all\nOverlayFS xattr writes. Without patch 2, any unprivileged user namespace\nOverlayFS mount would fail with EPERM on trusted.overlay.* writes. Patch 2\nmitigates this by redirecting to user.overlay.*.\nA regression is possible if existing overlays on disk carry trusted.overlay.*\nxattrs written by a prior kernel.\nNewly created overlays are unaffected. Container runtimes operating as real root\nare also unaffected as they mount from init_user_ns.\n\n\nMassimiliano Pellizzer (2):\n  UBUNTU: SAUCE: Revert \"UBUNTU: SAUCE: overlayfs: Skip permission\n    checking for trusted.overlayfs.* xattrs\"\n  UBUNTU: SAUCE: overlayfs: default to userxattr when mounted from non\n    initial user namespace\n\n fs/overlayfs/overlayfs.h | 15 ++-------------\n fs/overlayfs/super.c     | 10 ++++++++++\n fs/xattr.c               | 36 ++++++------------------------------\n include/linux/xattr.h    |  1 -\n 4 files changed, 18 insertions(+), 44 deletions(-)"
}