{"id":2220113,"url":"http://patchwork.ozlabs.org/api/1.0/covers/2220113/?format=json","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.0/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260406113010.38193-1-massimiliano.pellizzer@canonical.com>","date":"2026-04-06T11:30:08","name":"[SRU,J,v2,0/2] CVE-2023-2640 and CVE-2023-32629","submitter":{"id":89057,"url":"http://patchwork.ozlabs.org/api/1.0/people/89057/?format=json","name":"Massimiliano Pellizzer","email":"massimiliano.pellizzer@canonical.com"},"series":[{"id":498844,"url":"http://patchwork.ozlabs.org/api/1.0/series/498844/?format=json","date":"2026-04-06T11:30:08","name":"CVE-2023-2640 and CVE-2023-32629","version":2,"mbox":"http://patchwork.ozlabs.org/series/498844/mbox/"}],"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=f7J1goCR;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fq6bZ3Slpz1xy1\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 06 Apr 2026 21:31:22 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1w9iAm-0005pY-Dw; Mon, 06 Apr 2026 11:31:16 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <massimiliano.pellizzer@canonical.com>)\n id 1w9iAl-0005pD-1A\n for kernel-team@lists.ubuntu.com; Mon, 06 Apr 2026 11:31:15 +0000","from mail-wm1-f72.google.com (mail-wm1-f72.google.com\n [209.85.128.72])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id D33303F154\n for <kernel-team@lists.ubuntu.com>; Mon,  6 Apr 2026 11:31:14 +0000 (UTC)","by mail-wm1-f72.google.com with SMTP id\n 5b1f17b1804b1-488af485ce9so5658195e9.0\n for <kernel-team@lists.ubuntu.com>; Mon, 06 Apr 2026 04:31:14 -0700 (PDT)","from framework.ts.net (net-93-71-66-38.cust.vodafonedsl.it.\n [93.71.66.38]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-488b739e00bsm36899605e9.10.2026.04.06.04.31.12\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Mon, 06 Apr 2026 04:31:12 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1775475074;\n bh=efTZyZUhFiHzGF7CAth0OyXyeHpkIcyGyY2xN/lGYlQ=;\n h=From:To:Subject:Date:Message-ID:MIME-Version;\n b=f7J1goCRPlcvrCeFEJH7bl4NLzJS1HspBxWgcvEcX63T+hKNTjVntrDYexXNEifKt\n 1iTRJwGEyExHcdSDXa2jYJgXH8kWEHsE+68Su8iKnr3Fbb0GS7eGmQ4T25gnUjtzpp\n UHBsNogYalJnny5UynM46mrOD0X8q60acNSRSKRsXbETSTA+zJXOpcGjr+YfSqD/aD\n KsIXGiEb833Vf+6HGXsRnmIpPF+c4hlGd4htO1O8wtUw9Afd8i1RU0H20IW7x2Blkc\n wci/0Hm102vDoWJmrOeMfwJ7Kw7qN8oxz1mhas+zRITAsjZwAX2xErdeZt5eb2WAWv\n l8Q+S1ysL3zdi31I0UWSq1Ms/jDVvWOWawWEIYf2VHRaomobjVjulyHWZWFazskuxI\n kkuaaZ2yDy9jsL1GGO3QlAYqty/WAXR7dr9pgUfn4PnIwlGcwXYwM/MMT+UeuBKz4d\n 11Xe381w5cjLAKcvK43Rt+Ht0QzZqjdok+zc8yzYqgirzBUmwFoOLqmTW0lTVD27IP\n gvfPDObRa7vMvN+q0/DgLRFOD4qwhEGkh+wqLOVylwG0vW0IMu1RXjl+t7hgD4p/sX\n dTGECIsSeca97E43fOi8X+t1GyPaY+DzVq6DsFVsESFBfLB0bToF/OQsCmBlaPO1Bp\n 2iWwKBdMeep5CqnjlpyJFyF8=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1775475074; x=1776079874;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=efTZyZUhFiHzGF7CAth0OyXyeHpkIcyGyY2xN/lGYlQ=;\n b=BPKxeUj1wJQuIbobIde0fPiCEcZJwMjsw8cSwNpdiQSoKp6X37OUgB5voPFGu9KnMZ\n /H2mgd8SqATRykQK+hcFOCrLSdDJ4C/j+7rgOfx6+J5CEOgFBqaWb08kRnor5JvelOUb\n AcQY5+ZHeVJVDoGWGGNTuNT7z2mKqY1OnX94lUH56b43Sac2i7x6eHNWE8iyoSIJWIgu\n ztxC5TYfk6rvv3ze4ja5jKXq1DEXuOoIdsrdywTAGHvAcl5JRTjaF4p/jC85jlDDZuAz\n 4erwQR3amlPQ129AWhTiVEsCbj8EEgKT2wsS0Onw7A4DeWkD7ru9KkylAm1xWnzWgM2j\n EE3g==","X-Gm-Message-State":"AOJu0YwzEx7lGR+L0eQ6A+ReTydN53MBxk1x+WQ0luIYQ7G0cXEisuz3\n i/81qLOd5sYuL2mQ/O432uHQNrARrRFR3b9CYpKzKMepS+6JjkYZJgYppz0q+/vbRLWUM8TO6Lj\n bg9wQ+/lca39ZYGDNcF9TaxLo2wusC0PPmPAa/f4f3us8UKTCJp/0gF+mVT2D61is+QhHVRDtAm\n mubdeg9+T5X1Rl3w==","X-Gm-Gg":"AeBDies+a2d/PERmDltiNaPo/UNKjUJMmUOwaogpansSiuz4Iz5nfk7+26pUnmzDahe\n 8W8CWSLbzN3vb3ZC2tiTJfSk3BnGMBbW7hk4yHTr8gIW5gPVe6Uhx/HYINXmpOzonzAPB10YkIp\n SqS3WUYQ0FvEkqEIl60BKK/OmWCCiVydylqvV8lRlRmRliKbJINd2yWfL9+YLvLSYFLgUXnCLKY\n utbNB97OsWYjKGVxqAtdoItgDdvC0MJz16SNZE0Sw6REzzvECdGrQriBQ0E1poEibEfks2vj4bs\n 4ORZCYMEi5I0dVnDo/4gbbT18eHUkZ97mThMXtPleeQYooQf2k6SxfIDQg2ICtTY8aPIuhB7mcd\n gfO+wZidlmi3iCtkcDIgx3FGGprJTaFGeXTqXQOygjxXP6tLCIXkDtKv3Ra7lF5uhhn58C5ax0t\n 0Ft+4Q8i6wdflKSfttQnprnCSrDlGdqS92X6yQa3u5EDeih0Af6PD5y6YBHr9jjHZt2RVeikA=","X-Received":["by 2002:a05:600c:4752:b0:488:7ff5:2c67 with SMTP id\n 5b1f17b1804b1-4889976ea80mr183407875e9.12.1775475074052;\n Mon, 06 Apr 2026 04:31:14 -0700 (PDT)","by 2002:a05:600c:4752:b0:488:7ff5:2c67 with SMTP id\n 5b1f17b1804b1-4889976ea80mr183407265e9.12.1775475073554;\n Mon, 06 Apr 2026 04:31:13 -0700 (PDT)"],"From":"Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][J][PATCH v2 0/2] CVE-2023-2640 and CVE-2023-32629","Date":"Mon,  6 Apr 2026 13:30:08 +0200","Message-ID":"<20260406113010.38193-1-massimiliano.pellizzer@canonical.com>","X-Mailer":"git-send-email 2.51.0","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"[ Impact ]\n\nAn unprivileged local user can obtain root privileges by exploiting the\nOverlayFS copy-up path. By setting scoped file capabilities inside a user\nnamespace and triggering a copy-up, the kernel writes unscoped (globally\neffective) capabilities to the upper directory via __vfs_setxattr_noperm(),\nbypassing cap_convert_nscap(). The resulting binary grants any chosen\ncapability to any user who executes it.\n\n[ Fix ]\n\nThe first patch reverts the SAUCE patch that replaced vfs_setxattr() with\n__vfs_setxattr_noperm() in ovl_do_setxattr(), restoring full VFS\npermission checks and security transformations (including\ncap_convert_nscap()) for all OverlayFS xattr operations.\n\nThe second patch applies a new SAUCE patch that auto-enables\nthe \"userxattr\" mount option when OverlayFS is mounted from a non-initial\nuser namespace, switching internal metadata to the unprivileged\nuser.overlay.* namespace. This preserves unprivileged mount functionality\nwithout bypassing the VFS security layer.\n\n[ Test Plan ]\n\nThe patchset has been tested, security wise, using multiple available\nknown exploits.\nMoreover, the patchset has been tested with the following bash script\nto make sure it does not introduce any regression in functionalities:\n```\n  #!/bin/sh -ex\n  dir=`mktemp -d`\n\n  cleanup() {\n    umount -l $dir/t\n    rm -rf $dir\n  }\n  trap cleanup EXIT\n\n  echo \"dir is $dir\"\n  mkdir -p $dir/l $dir/u $dir/w $dir/t\n  mkdir $dir/l/dev\n  mount -t overlay -o lowerdir=$dir/l,upperdir=$dir/u,workdir=$dir/w o $dir/t\n  stat $dir/t/dev\n  rmdir $dir/t/dev\n  mkdir $dir/t/dev\n  echo $?\n  echo \"mkdir should have succeeded\"\n```\n\n[ Regression Potential ]\n\nReverting the first SAUCE patch re-enables VFS permission checks on all\nOverlayFS xattr writes. Without patch 2, any unprivileged user namespace\nOverlayFS mount would fail with EPERM on trusted.overlay.* writes. Patch 2\nmitigates this by redirecting to user.overlay.*.\nA regression is possible if existing overlays on disk carry trusted.overlay.*\nxattrs written by a prior kernel.\nNewly created overlays are unaffected. Container runtimes operating as real root\nare also unaffected as they mount from init_user_ns.\n\n[ Chages between v1 and v2 ]\n\nFixed typo in commit message of the first patch.\n\nMassimiliano Pellizzer (2):\n  UBUNTU: SAUCE: Revert \"UBUNTU: SAUCE: overlayfs: Skip permission\n    checking for trusted.overlayfs.* xattrs\"\n  UBUNTU: SAUCE: overlayfs: default to userxattr when mounted from non\n    initial user namespace\n\n fs/overlayfs/overlayfs.h | 15 ++-------------\n fs/overlayfs/super.c     | 10 ++++++++++\n fs/xattr.c               | 36 ++++++------------------------------\n include/linux/xattr.h    |  1 -\n 4 files changed, 18 insertions(+), 44 deletions(-)"}