CVE-2016-1576
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Precise |
Won't Fix
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned | ||
Vivid |
Fix Released
|
High
|
Unassigned | ||
Wily |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned | ||
Yakkety |
Fix Released
|
High
|
Unassigned | ||
linux-armadaxp (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Won't Fix
|
High
|
Unassigned | ||
Trusty |
Invalid
|
High
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Invalid
|
High
|
Unassigned | ||
linux-flo (Ubuntu) |
New
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Invalid
|
High
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
New
|
High
|
Unassigned | ||
Xenial |
New
|
High
|
Unassigned | ||
Yakkety |
New
|
High
|
Unassigned | ||
linux-goldfish (Ubuntu) |
New
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Invalid
|
High
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
New
|
High
|
Unassigned | ||
Xenial |
New
|
High
|
Unassigned | ||
Yakkety |
New
|
High
|
Unassigned | ||
linux-lts-quantal (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Invalid
|
High
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Invalid
|
High
|
Unassigned | ||
linux-lts-raring (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Invalid
|
High
|
Unassigned | ||
Vivid |
New
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Invalid
|
High
|
Unassigned | ||
linux-lts-saucy (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Invalid
|
High
|
Unassigned | ||
Vivid |
New
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Invalid
|
High
|
Unassigned | ||
linux-lts-trusty (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Invalid
|
High
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Invalid
|
High
|
Unassigned | ||
linux-lts-utopic (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Invalid
|
High
|
Unassigned | ||
linux-lts-vivid (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Invalid
|
High
|
Unassigned | ||
linux-lts-wily (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Invalid
|
High
|
Unassigned | ||
linux-lts-xenial (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Invalid
|
High
|
Unassigned | ||
Vivid |
New
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Invalid
|
High
|
Unassigned | ||
linux-mako (Ubuntu) |
New
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Invalid
|
High
|
Unassigned | ||
Vivid |
New
|
Undecided
|
Unassigned | ||
Wily |
New
|
High
|
Unassigned | ||
Xenial |
New
|
High
|
Unassigned | ||
Yakkety |
New
|
High
|
Unassigned | ||
linux-manta (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Invalid
|
High
|
Unassigned | ||
Vivid |
New
|
Undecided
|
Unassigned | ||
Wily |
New
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Invalid
|
High
|
Unassigned | ||
linux-raspi2 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Invalid
|
High
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Invalid
|
High
|
Unassigned | ||
linux-snapdragon (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Invalid
|
High
|
Unassigned | ||
Trusty |
Invalid
|
High
|
Unassigned | ||
Vivid |
New
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Invalid
|
High
|
Unassigned | ||
linux-ti-omap4 (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
Precise |
Won't Fix
|
High
|
Unassigned | ||
Trusty |
Invalid
|
High
|
Unassigned | ||
Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
High
|
Unassigned | ||
Xenial |
Invalid
|
High
|
Unassigned | ||
Yakkety |
Invalid
|
High
|
Unassigned |
Bug Description
On Ubuntu Wily it is possible to place an USERNS overlayfs mount over a fuse mount. The fuse filesystem may contain SUID binaries, but those cannot be executed due to nosuid mount options. But when touching such an SUID binary via overlayfs mount, this will trigger copy_up including all file attributes, thus creating a real SUID binary on the disk.
Sequence:
* Mount fuse filesystem exposing one world writable SUID binary
* Create USERNS
* Mount overlayfs on top of fuse
* open the SUID binary RDWR in overlayfs, thus triggering copy_up
Afterwards the SUID binary can be invoked to gain root privileges.
For additional information, test tool see http://
$ lsb_release -rd
Description: Ubuntu 15.10
Release: 15.10
$ apt-cache policy linux-image-
linux-image-
Installed: 4.2.0-23.28
Candidate: 4.2.0-23.28
Version table:
*** 4.2.0-23.28 0
500 http://
500 http://
100 /var/lib/
Changed in linux (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Critical |
information type: | Private Security → Public Security |
tags: | added: patch |
tags: | added: kernel-cve-skip-description |
Changed in linux-lts-trusty (Ubuntu Precise): | |
status: | New → Fix Released |
importance: | Undecided → High |
Changed in linux-lts-trusty (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-trusty (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-trusty (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-wily (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-wily (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-wily (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-wily (Ubuntu Trusty): | |
status: | New → Fix Released |
importance: | Undecided → High |
Changed in linux-lts-quantal (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-quantal (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-quantal (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-quantal (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Wily): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Xenial): | |
importance: | Critical → High |
Changed in linux (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in linux-ti-omap4 (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in linux-ti-omap4 (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-ti-omap4 (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-ti-omap4 (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-raring (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-raring (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-raring (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-raring (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-armadaxp (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in linux-armadaxp (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-armadaxp (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-armadaxp (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-xenial (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-xenial (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-xenial (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-xenial (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in linux-lts-saucy (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-saucy (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-saucy (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-saucy (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-manta (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-manta (Ubuntu Wily): | |
importance: | Undecided → High |
Changed in linux-manta (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in linux-manta (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-vivid (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-vivid (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-vivid (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-vivid (Ubuntu Trusty): | |
status: | New → Fix Released |
importance: | Undecided → High |
Changed in linux-raspi2 (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-raspi2 (Ubuntu Wily): | |
status: | New → Fix Released |
importance: | Undecided → High |
Changed in linux-raspi2 (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in linux-raspi2 (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-mako (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-mako (Ubuntu Wily): | |
importance: | Undecided → High |
Changed in linux-mako (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in linux-mako (Ubuntu Trusty): | |
status: | New → Invalid |
Changed in linux-mako (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in linux-lts-utopic (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-utopic (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-utopic (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-utopic (Ubuntu Trusty): | |
status: | New → Fix Released |
importance: | Undecided → High |
Changed in linux-goldfish (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-goldfish (Ubuntu Wily): | |
importance: | Undecided → High |
Changed in linux-goldfish (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in linux-goldfish (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-flo (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-flo (Ubuntu Wily): | |
importance: | Undecided → High |
Changed in linux-flo (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in linux-flo (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-xenial (Ubuntu Trusty): | |
status: | New → Invalid |
Changed in linux-raspi2 (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in linux-manta (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in linux-snapdragon (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-snapdragon (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-snapdragon (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-snapdragon (Ubuntu Yakkety): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-snapdragon (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → High |
tags: | added: kernel-cve-tracking-bug |
Changed in linux (Ubuntu Vivid): | |
importance: | Undecided → High |
summary: |
- overlayfs over fuse should refuse copy_up of files if uid/gid not mapped + CVE-2016-1576 |
Changed in linux (Ubuntu Yakkety): | |
status: | Fix Released → Invalid |
Changed in linux (Ubuntu Yakkety): | |
status: | Invalid → Fix Committed |
Changed in linux-flo (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-goldfish (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-quantal (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-trusty (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-utopic (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-vivid (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-lts-wily (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-raspi2 (Ubuntu Vivid): | |
status: | New → Won't Fix |
Changed in linux-ti-omap4 (Ubuntu Vivid): | |
status: | New → Won't Fix |
I haven't verified this bug report but wanted to mention my initial thoughts on it. An inode that is setuid and world writable is a valid inode. It should remain setuid until it is written to and, at that point, the setuid bit should be stripped. This is done by file_remove_ privs() , which must be called by the function assigned to the .write_iter member of a filesystem's file_operations struct.
It sounds like this is possibly not happening on inodes that are copied up by overlayfs.