FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- jail escape possible by mounting over jail root

Affected packages
12.2 <= FreeBSD-kernel < 12.2_6
11.4 <= FreeBSD-kernel < 11.4_9

Details

VuXML ID a7b97d26-9792-11eb-b87a-901b0ef719ab
Discovery 2021-04-06
Entry 2021-04-07

Problem Description:

Due to a race condition between lookup of ".." and remounting a filesystem, a process running inside a jail might access filesystem hierarchy outside of jail.

Impact:

A process with superuser privileges running inside a jail configured with the allow.mount permission (not enabled by default) could change the root directory outside of the jail, and thus gain full read and write access to all files and directories in the system.

References

CVE Name CVE-2020-25584
FreeBSD Advisory SA-21:10.jail_mount