CVE-2015-8660

Bug #1528904 reported by Serge Hallyn on 2015-12-23
270
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-armadaxp (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-flo (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-goldfish (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-quantal (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-raring (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-saucy (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-trusty (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-utopic (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-vivid (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-wily (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-xenial (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-mako (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-manta (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-raspi2 (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-snapdragon (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
Undecided
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-ti-omap4 (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned

Bug Description

The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

Break-Fix: e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c acff81ec2c79492b180fade3c2894425cd35a545

Kamal Mostafa (kamalmostafa) wrote :

[corrected]:

The fix commit (acff81e "ovl: fix permission checking for setattr") applies cleanly to Vivid (already committed), Wily, and Xenial.

By code inspection, it appears to me that the older version of overlayfs in releases <= Utopic is not vulnerable to this exploit: their ovl_setattr() already calls a copy_up first thing, like the fix patch does.

Tyler Hicks (tyhicks) on 2015-12-24
summary: - overlay getattr vulnerability
+ overlay setattr vulnerability

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status: New → Confirmed
Tyler Hicks (tyhicks) wrote :

Making this bug public since all the details in this bug are already public.

information type: Private Security → Public Security
Tyler Hicks (tyhicks) on 2015-12-24
Changed in linux (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → High
Andy Whitcroft (apw) wrote :

I have installed VMs with the various combinations and tried the POC as supplied with each. I confirm that only vivid and later are exposed by the exploit.

Steve Beattie (sbeattie) on 2015-12-31
description: updated
Steve Beattie (sbeattie) on 2016-01-04
Changed in linux-lts-trusty (Ubuntu Precise):
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Trusty):
status: New → Fix Committed
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux (Ubuntu Precise):
importance: Undecided → High
Changed in linux (Ubuntu Wily):
status: New → Fix Committed
importance: Undecided → High
Changed in linux (Ubuntu Xenial):
status: Triaged → Fix Committed
Changed in linux (Ubuntu Trusty):
importance: Undecided → High
Changed in linux (Ubuntu Vivid):
status: New → Fix Committed
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Precise):
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Precise):
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Wily):
importance: Undecided → High
Changed in linux-manta (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-manta (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Vivid):
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Trusty):
status: New → Fix Committed
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Wily):
status: New → Fix Committed
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Wily):
importance: Undecided → High
Changed in linux-mako (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-mako (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Vivid):
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Trusty):
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Steve Beattie (sbeattie) on 2016-01-04
Changed in linux-goldfish (Ubuntu Wily):
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Vivid):
importance: Undecided → High
Changed in linux-flo (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Wily):
importance: Undecided → High
Changed in linux-flo (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-flo (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Vivid):
importance: Undecided → High
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.2.0-23.28

---------------
linux (4.2.0-23.28) wily; urgency=low

  [ Andy Whitcroft ]

  * Release Tracking Bug
    - LP: #1529361

  [ Upstream Kernel Changes ]

  * ovl: fix permission checking for setattr
    - LP: #1528904
    - CVE-2015-8660

 -- Andy Whitcroft <email address hidden> Sat, 26 Dec 2015 09:42:47 +0000

Changed in linux (Ubuntu Wily):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.19.0-43.49

---------------
linux (3.19.0-43.49) vivid; urgency=low

  [ Andy Whitcroft ]

  * Release Tracking Bug
    - LP: #1529362

  [ Upstream Kernel Changes ]

  * ovl: fix permission checking for setattr
    - LP: #1528904
    - CVE-2015-8660

 -- Andy Whitcroft <email address hidden> Sat, 26 Dec 2015 09:48:24 +0000

Changed in linux (Ubuntu Vivid):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-vivid - 3.19.0-43.49~14.04.1

---------------
linux-lts-vivid (3.19.0-43.49~14.04.1) trusty; urgency=low

  [ Andy Whitcroft ]

  * Release Tracking Bug
    - LP: #1529971

  [ Upstream Kernel Changes ]

  * ovl: fix permission checking for setattr
    - LP: #1528904
    - CVE-2015-8660

 -- Andy Whitcroft <email address hidden> Sat, 26 Dec 2015 09:48:24 +0000

Changed in linux-lts-vivid (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-raspi2 - 4.2.0-1018.25

---------------
linux-raspi2 (4.2.0-1018.25) wily; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1529992
  * rebased on Ubuntu-4.2.0-23.28

  [ Ubuntu: 4.2.0-23.28 ]

  * Release Tracking Bug
    - LP: #1529361
  * ovl: fix permission checking for setattr
    - LP: #1528904
    - CVE-2015-8660

 -- Luis Henriques <email address hidden> Mon, 04 Jan 2016 10:57:53 +0000

Changed in linux-raspi2 (Ubuntu Wily):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-wily - 4.2.0-23.28~14.04.1

---------------
linux-lts-wily (4.2.0-23.28~14.04.1) trusty; urgency=low

  [ Andy Whitcroft ]

  * Release Tracking Bug
    - LP: #1529993

  [ Upstream Kernel Changes ]

  * ovl: fix permission checking for setattr
    - LP: #1528904
    - CVE-2015-8660

 -- Andy Whitcroft <email address hidden> Sat, 26 Dec 2015 09:42:47 +0000

Changed in linux-lts-wily (Ubuntu Trusty):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
tags: added: kernel-cve-tracking-bug
summary: - overlay setattr vulnerability
+ 2015-8660
summary: - 2015-8660
+ CVE-2015-8660
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.3.0-6.17

---------------
linux (4.3.0-6.17) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1532958

  [ Eric Dumazet ]

  * SAUCE: (noup) net: fix IP early demux races
    - LP: #1526946

  [ Guilherme G. Piccoli ]

  * SAUCE: powerpc/eeh: Validate arch in eeh_add_device_early()
    - LP: #1486180

  [ Hui Wang ]

  * [Config] CONFIG_I2C_DESIGNWARE_BAYTRAIL=y, CONFIG_IOSF_MBI=y
    - LP: #1527096

  [ Jann Horn ]

  * ptrace: being capable wrt a process requires mapped uids/gids
    - LP: #1527374

  [ Serge Hallyn ]

  * SAUCE: add a sysctl to disable unprivileged user namespace unsharing

  [ Tim Gardner ]

  * [Config] CONFIG_ZONE_DEVICE=y for amd64
  * [Config] CONFIG_VIRTIO_BLK=y, CONFIG_VIRTIO_NET=y for s390
    - LP: #1532886

  [ Upstream Kernel Changes ]

  * rhashtable: Fix walker list corruption
    - LP: #1526811
  * rhashtable: Kill harmless RCU warning in rhashtable_walk_init
    - LP: #1526811
  * ovl: fix permission checking for setattr
    - LP: #1528904
    - CVE-2015-8660

 -- Tim Gardner <email address hidden> Thu, 17 Dec 2015 05:34:47 -0700

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) on 2016-02-10
Changed in linux-raspi2 (Ubuntu Xenial):
status: New → Fix Committed
Steve Beattie (sbeattie) on 2016-02-11
Changed in linux-lts-xenial (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Trusty):
status: New → Fix Committed
importance: Undecided → High
Steve Beattie (sbeattie) on 2016-04-19
Changed in linux-manta (Ubuntu Xenial):
status: New → Invalid
Steve Beattie (sbeattie) on 2016-04-27
description: updated
Steve Beattie (sbeattie) on 2016-04-27
Changed in linux-lts-trusty (Ubuntu Precise):
status: New → Invalid
Changed in linux (Ubuntu Precise):
status: New → Invalid
Changed in linux (Ubuntu Trusty):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Invalid
Changed in linux-lts-utopic (Ubuntu Trusty):
status: New → Invalid
Steve Beattie (sbeattie) on 2016-05-06
Changed in linux-snapdragon (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High

This bug was nominated against a series that is no longer supported, ie vivid. The bug task representing the vivid nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux-flo (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw) on 2017-10-17
Changed in linux-goldfish (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw) on 2017-10-17
Changed in linux-mako (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw) on 2017-10-17
Changed in linux-manta (Ubuntu Vivid):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers