Ubuntu
linux-lts-utopic package

CVE-2015-8660

Precise (12.04)
Bug #1528904

Bug #1528904 reported by Serge Hallyn on 2015-12-23

270

This bug affects 2 people

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	Fix Released	High	Unassigned
Wily	Fix Released	High	Unassigned
Xenial	Fix Released	High	Unassigned
Yakkety	Fix Released	High	Unassigned
linux-armadaxp (Ubuntu)	Invalid	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	Invalid	High	Unassigned
Wily	Invalid	High	Unassigned
Xenial	Invalid	High	Unassigned
Yakkety	Invalid	High	Unassigned
linux-flo (Ubuntu)	New	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	Won't Fix	High	Unassigned
Wily	New	High	Unassigned
Xenial	New	High	Unassigned
Yakkety	New	High	Unassigned
linux-goldfish (Ubuntu)	New	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	Won't Fix	High	Unassigned
Wily	New	High	Unassigned
Xenial	New	High	Unassigned
Yakkety	New	High	Unassigned
linux-lts-quantal (Ubuntu)	Invalid	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	Invalid	High	Unassigned
Wily	Invalid	High	Unassigned
Xenial	Invalid	High	Unassigned
Yakkety	Invalid	High	Unassigned
linux-lts-raring (Ubuntu)	Invalid	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	Invalid	High	Unassigned
Wily	Invalid	High	Unassigned
Xenial	Invalid	High	Unassigned
Yakkety	Invalid	High	Unassigned
linux-lts-saucy (Ubuntu)	Invalid	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	Invalid	High	Unassigned
Wily	Invalid	High	Unassigned
Xenial	Invalid	High	Unassigned
Yakkety	Invalid	High	Unassigned
linux-lts-trusty (Ubuntu)	Invalid	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	Invalid	High	Unassigned
Wily	Invalid	High	Unassigned
Xenial	Invalid	High	Unassigned
Yakkety	Invalid	High	Unassigned
linux-lts-utopic (Ubuntu)	Invalid	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	Invalid	High	Unassigned
Wily	Invalid	High	Unassigned
Xenial	Invalid	High	Unassigned
Yakkety	Invalid	High	Unassigned
linux-lts-vivid (Ubuntu)	Invalid	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Fix Released	High	Unassigned
Vivid	Invalid	High	Unassigned
Wily	Invalid	High	Unassigned
Xenial	Invalid	High	Unassigned
Yakkety	Invalid	High	Unassigned
linux-lts-wily (Ubuntu)	Invalid	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Fix Released	High	Unassigned
Vivid	Invalid	High	Unassigned
Wily	Invalid	High	Unassigned
Xenial	Invalid	High	Unassigned
Yakkety	Invalid	High	Unassigned
linux-lts-xenial (Ubuntu)	Invalid	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Fix Committed	High	Unassigned
Vivid	New	Undecided	Unassigned
Wily	Invalid	High	Unassigned
Xenial	Invalid	High	Unassigned
Yakkety	Invalid	High	Unassigned
linux-mako (Ubuntu)	New	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	Won't Fix	High	Unassigned
Wily	New	High	Unassigned
Xenial	New	High	Unassigned
Yakkety	New	High	Unassigned
linux-manta (Ubuntu)	Invalid	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	Won't Fix	High	Unassigned
Wily	New	High	Unassigned
Xenial	Invalid	High	Unassigned
Yakkety	Invalid	High	Unassigned
linux-raspi2 (Ubuntu)	Fix Committed	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	Invalid	High	Unassigned
Wily	Fix Released	High	Unassigned
Xenial	Fix Committed	High	Unassigned
Yakkety	Fix Committed	High	Unassigned
linux-snapdragon (Ubuntu)	Invalid	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	New	Undecided	Unassigned
Wily	Invalid	High	Unassigned
Xenial	Invalid	High	Unassigned
Yakkety	Invalid	High	Unassigned
linux-ti-omap4 (Ubuntu)	Invalid	High	Unassigned
Precise	Invalid	High	Unassigned
Trusty	Invalid	High	Unassigned
Vivid	Invalid	High	Unassigned
Wily	Invalid	High	Unassigned
Xenial	Invalid	High	Unassigned
Yakkety	Invalid	High	Unassigned

Bug Description

The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

Break-Fix: e9be9d5e76e34872f0c37d72e25bc27fe9e2c54c acff81ec2c79492b180fade3c2894425cd35a545

See original description

Tags:

Related branches

lp:ubuntu/trusty-security/linux-lts-vivid

lp:ubuntu/trusty-proposed/linux-lts-vivid

lp:ubuntu/trusty-security/linux-lts-wily

lp:ubuntu/trusty-proposed/linux-lts-wily

CVE References

2015-8660

Revision history for this message

Kamal Mostafa (kamalmostafa) wrote on 2015-12-23:

[corrected]:

The fix commit (acff81e "ovl: fix permission checking for setattr") applies cleanly to Vivid (already committed), Wily, and Xenial.

By code inspection, it appears to me that the older version of overlayfs in releases <= Utopic is not vulnerable to this exploit: their ovl_setattr() already calls a copy_up first thing, like the fix patch does.

Tyler Hicks (tyhicks) on 2015-12-24

summary:

- overlay getattr vulnerability
+ overlay setattr vulnerability

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-12-24: Re: overlay setattr vulnerability

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status:	New → Confirmed

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2015-12-24:

Making this bug public since all the details in this bug are already public.

information type:

Private Security → Public Security

Tyler Hicks (tyhicks) on 2015-12-24

Changed in linux (Ubuntu):
status:	Confirmed → Triaged
importance:	Undecided → High

Revision history for this message

Andy Whitcroft (apw) wrote on 2015-12-24:

I have installed VMs with the various combinations and tried the POC as supplied with each. I confirm that only vivid and later are exposed by the exploit.

Steve Beattie (sbeattie) on 2015-12-31

description:

updated

Steve Beattie (sbeattie) on 2016-01-04

Changed in linux-lts-trusty (Ubuntu Precise):
importance:	Undecided → High
Changed in linux-lts-trusty (Ubuntu Wily):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-trusty (Ubuntu Xenial):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-trusty (Ubuntu Trusty):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-trusty (Ubuntu Vivid):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-wily (Ubuntu Precise):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-wily (Ubuntu Wily):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-wily (Ubuntu Xenial):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-wily (Ubuntu Trusty):
status:	New → Fix Committed
importance:	Undecided → High
Changed in linux-lts-wily (Ubuntu Vivid):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-quantal (Ubuntu Precise):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-quantal (Ubuntu Wily):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-quantal (Ubuntu Xenial):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-quantal (Ubuntu Trusty):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-quantal (Ubuntu Vivid):
status:	New → Invalid
importance:	Undecided → High
Changed in linux (Ubuntu Precise):
importance:	Undecided → High
Changed in linux (Ubuntu Wily):
status:	New → Fix Committed
importance:	Undecided → High
Changed in linux (Ubuntu Xenial):
status:	Triaged → Fix Committed
Changed in linux (Ubuntu Trusty):
importance:	Undecided → High
Changed in linux (Ubuntu Vivid):
status:	New → Fix Committed
importance:	Undecided → High
Changed in linux-ti-omap4 (Ubuntu Precise):
importance:	Undecided → High
Changed in linux-ti-omap4 (Ubuntu Wily):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-ti-omap4 (Ubuntu Xenial):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-ti-omap4 (Ubuntu Trusty):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-ti-omap4 (Ubuntu Vivid):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-raring (Ubuntu Precise):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-raring (Ubuntu Wily):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-raring (Ubuntu Xenial):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-raring (Ubuntu Trusty):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-raring (Ubuntu Vivid):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-armadaxp (Ubuntu Precise):
importance:	Undecided → High
Changed in linux-armadaxp (Ubuntu Wily):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-armadaxp (Ubuntu Xenial):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-armadaxp (Ubuntu Trusty):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-armadaxp (Ubuntu Vivid):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-saucy (Ubuntu Precise):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-saucy (Ubuntu Wily):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-saucy (Ubuntu Xenial):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-saucy (Ubuntu Trusty):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-saucy (Ubuntu Vivid):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-manta (Ubuntu Precise):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-manta (Ubuntu Wily):
importance:	Undecided → High
Changed in linux-manta (Ubuntu Xenial):
importance:	Undecided → High
Changed in linux-manta (Ubuntu Trusty):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-manta (Ubuntu Vivid):
importance:	Undecided → High
Changed in linux-lts-vivid (Ubuntu Precise):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-vivid (Ubuntu Wily):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-vivid (Ubuntu Xenial):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-vivid (Ubuntu Trusty):
status:	New → Fix Committed
importance:	Undecided → High
Changed in linux-lts-vivid (Ubuntu Vivid):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-raspi2 (Ubuntu Precise):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-raspi2 (Ubuntu Wily):
status:	New → Fix Committed
importance:	Undecided → High
Changed in linux-raspi2 (Ubuntu Xenial):
importance:	Undecided → High
Changed in linux-raspi2 (Ubuntu Trusty):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-raspi2 (Ubuntu Vivid):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-mako (Ubuntu Precise):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-mako (Ubuntu Wily):
importance:	Undecided → High
Changed in linux-mako (Ubuntu Xenial):
importance:	Undecided → High
Changed in linux-mako (Ubuntu Trusty):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-mako (Ubuntu Vivid):
importance:	Undecided → High
Changed in linux-lts-utopic (Ubuntu Precise):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-utopic (Ubuntu Wily):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-utopic (Ubuntu Xenial):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-utopic (Ubuntu Trusty):
importance:	Undecided → High
Changed in linux-lts-utopic (Ubuntu Vivid):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-goldfish (Ubuntu Precise):
status:	New → Invalid
importance:	Undecided → High

Steve Beattie (sbeattie) on 2016-01-04

Changed in linux-goldfish (Ubuntu Wily):
importance:	Undecided → High
Changed in linux-goldfish (Ubuntu Xenial):
importance:	Undecided → High
Changed in linux-goldfish (Ubuntu Trusty):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-goldfish (Ubuntu Vivid):
importance:	Undecided → High
Changed in linux-flo (Ubuntu Precise):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-flo (Ubuntu Wily):
importance:	Undecided → High
Changed in linux-flo (Ubuntu Xenial):
importance:	Undecided → High
Changed in linux-flo (Ubuntu Trusty):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-flo (Ubuntu Vivid):
importance:	Undecided → High
description:	updated

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-01-05:

This bug was fixed in the package linux - 4.2.0-23.28

---------------
linux (4.2.0-23.28) wily; urgency=low

[ Andy Whitcroft ]

* Release Tracking Bug
- LP: #1529361

[ Upstream Kernel Changes ]

  * ovl: fix permission checking for setattr
    - LP: #1528904
    - CVE-2015-8660

-- Andy Whitcroft <email address hidden> Sat, 26 Dec 2015 09:42:47 +0000

Changed in linux (Ubuntu Wily):
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-01-05:

This bug was fixed in the package linux - 3.19.0-43.49

---------------
linux (3.19.0-43.49) vivid; urgency=low

[ Andy Whitcroft ]

* Release Tracking Bug
- LP: #1529362

[ Upstream Kernel Changes ]

  * ovl: fix permission checking for setattr
    - LP: #1528904
    - CVE-2015-8660

-- Andy Whitcroft <email address hidden> Sat, 26 Dec 2015 09:48:24 +0000

Changed in linux (Ubuntu Vivid):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-01-05:

This bug was fixed in the package linux-lts-vivid - 3.19.0-43.49~14.04.1

---------------
linux-lts-vivid (3.19.0-43.49~14.04.1) trusty; urgency=low

[ Andy Whitcroft ]

* Release Tracking Bug
- LP: #1529971

[ Upstream Kernel Changes ]

  * ovl: fix permission checking for setattr
    - LP: #1528904
    - CVE-2015-8660

-- Andy Whitcroft <email address hidden> Sat, 26 Dec 2015 09:48:24 +0000

Changed in linux-lts-vivid (Ubuntu Trusty):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-01-05:

#10

This bug was fixed in the package linux-raspi2 - 4.2.0-1018.25

---------------
linux-raspi2 (4.2.0-1018.25) wily; urgency=low

[ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1529992
  * rebased on Ubuntu-4.2.0-23.28

[ Ubuntu: 4.2.0-23.28 ]

  * Release Tracking Bug
    - LP: #1529361
  * ovl: fix permission checking for setattr
    - LP: #1528904
    - CVE-2015-8660

-- Luis Henriques <email address hidden> Mon, 04 Jan 2016 10:57:53 +0000

Changed in linux-raspi2 (Ubuntu Wily):
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-01-05:

#12

This bug was fixed in the package linux-lts-wily - 4.2.0-23.28~14.04.1

---------------
linux-lts-wily (4.2.0-23.28~14.04.1) trusty; urgency=low

[ Andy Whitcroft ]

* Release Tracking Bug
- LP: #1529993

[ Upstream Kernel Changes ]

  * ovl: fix permission checking for setattr
    - LP: #1528904
    - CVE-2015-8660

-- Andy Whitcroft <email address hidden> Sat, 26 Dec 2015 09:42:47 +0000

Changed in linux-lts-wily (Ubuntu Trusty):
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

Mathew Hodson (mhodson) on 2016-01-06

tags:	added: kernel-cve-tracking-bug
summary:	- overlay setattr vulnerability + 2015-8660
summary:	- 2015-8660 + CVE-2015-8660

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-01-19:

#14

This bug was fixed in the package linux - 4.3.0-6.17

---------------
linux (4.3.0-6.17) xenial; urgency=low

[ Tim Gardner ]

* Release Tracking Bug
- LP: #1532958

[ Eric Dumazet ]

* SAUCE: (noup) net: fix IP early demux races
- LP: #1526946

[ Guilherme G. Piccoli ]

* SAUCE: powerpc/eeh: Validate arch in eeh_add_device_early()
- LP: #1486180

[ Hui Wang ]

* [Config] CONFIG_I2C_DESIGNWARE_BAYTRAIL=y, CONFIG_IOSF_MBI=y
- LP: #1527096

[ Jann Horn ]

* ptrace: being capable wrt a process requires mapped uids/gids
- LP: #1527374

[ Serge Hallyn ]

* SAUCE: add a sysctl to disable unprivileged user namespace unsharing

[ Tim Gardner ]

  * [Config] CONFIG_ZONE_DEVICE=y for amd64
  * [Config] CONFIG_VIRTIO_BLK=y, CONFIG_VIRTIO_NET=y for s390
    - LP: #1532886

[ Upstream Kernel Changes ]

  * rhashtable: Fix walker list corruption
    - LP: #1526811
  * rhashtable: Kill harmless RCU warning in rhashtable_walk_init
    - LP: #1526811
  * ovl: fix permission checking for setattr
    - LP: #1528904
    - CVE-2015-8660

-- Tim Gardner <email address hidden> Thu, 17 Dec 2015 05:34:47 -0700

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Steve Beattie (sbeattie) on 2016-02-10

Changed in linux-raspi2 (Ubuntu Xenial):
status:	New → Fix Committed

Steve Beattie (sbeattie) on 2016-02-11

Changed in linux-lts-xenial (Ubuntu Precise):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-xenial (Ubuntu Wily):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-xenial (Ubuntu Xenial):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-lts-xenial (Ubuntu Trusty):
status:	New → Fix Committed
importance:	Undecided → High

Steve Beattie (sbeattie) on 2016-04-19

Changed in linux-manta (Ubuntu Xenial):
status:	New → Invalid

Steve Beattie (sbeattie) on 2016-04-27

description:

updated

Steve Beattie (sbeattie) on 2016-04-27

Changed in linux-lts-trusty (Ubuntu Precise):
status:	New → Invalid
Changed in linux (Ubuntu Precise):
status:	New → Invalid
Changed in linux (Ubuntu Trusty):
status:	New → Invalid
Changed in linux-ti-omap4 (Ubuntu Precise):
status:	New → Invalid
Changed in linux-armadaxp (Ubuntu Precise):
status:	New → Invalid
Changed in linux-lts-utopic (Ubuntu Trusty):
status:	New → Invalid

Steve Beattie (sbeattie) on 2016-05-06

Changed in linux-snapdragon (Ubuntu Precise):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-snapdragon (Ubuntu Wily):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-snapdragon (Ubuntu Xenial):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-snapdragon (Ubuntu Yakkety):
status:	New → Invalid
importance:	Undecided → High
Changed in linux-snapdragon (Ubuntu Trusty):
status:	New → Invalid
importance:	Undecided → High

Revision history for this message

Andy Whitcroft (apw) wrote on 2017-10-17: Closing unsupported series nomination.

#15

This bug was nominated against a series that is no longer supported, ie vivid. The bug task representing the vivid nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux-flo (Ubuntu Vivid):
status:	New → Won't Fix

Andy Whitcroft (apw) on 2017-10-17

Changed in linux-goldfish (Ubuntu Vivid):
status:	New → Won't Fix

Andy Whitcroft (apw) on 2017-10-17

Changed in linux-mako (Ubuntu Vivid):
status:	New → Won't Fix

Andy Whitcroft (apw) on 2017-10-17

Changed in linux-manta (Ubuntu Vivid):
status:	New → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux-lts-utopic package

CVE-2015-8660

Bug Description

Related branches

CVE References

Duplicates of this bug

Other bug subscribers

Remote bug watches

Ubuntu
linux-lts-utopic package