A linux kernel bug in the overlayfs filesystem that can lead to root privilege escalation. For a bit of background, overlayfs allows you to have a filesystem that’s comprised of two layers; an upper layer and a lower layer. Any changes on files that exist in the lower layer effectively gets that file “copied-up” into the upper layer, which will reflect the file changes on the overlay filesystem without changing the lower layers’ version of the file. This seems fairly straightforward until you consider that the upper and lower directories might be mounted under different user namespaces.

By creating a lower directory in a user namespace, an attacker can effectively use their fake root privileges to create a root-owned setuid binary. By subsequently triggering a copy-up of that file into the upper directory (which can be some world-writable directory such as /tmp), they can get their crafted setuid binary copied and treated as a real root-owned setuid binary, which can then be used to easily run attacker-controlled code as root.

The fix for this was to not allow copying up files from the lower layer to the upper layer unless the file owner had a user mapping in the lower namespace. In this attack scenario, the user namespace would have root mapped to the lower-privileged user instead of itself, and so the copy-up is denied.