CVE-2016-1576

Bug #1535150 reported by halfdog
272
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Unassigned
Precise
Won't Fix
High
Unassigned
Trusty
Fix Released
High
Unassigned
Vivid
Fix Released
High
Unassigned
Wily
Fix Released
High
Unassigned
Xenial
Fix Released
High
Unassigned
Yakkety
Fix Released
High
Unassigned
linux-armadaxp (Ubuntu)
Invalid
High
Unassigned
Precise
Won't Fix
High
Unassigned
Trusty
Invalid
High
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-flo (Ubuntu)
New
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
New
High
Unassigned
Xenial
New
High
Unassigned
Yakkety
New
High
Unassigned
linux-goldfish (Ubuntu)
New
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
New
High
Unassigned
Xenial
New
High
Unassigned
Yakkety
New
High
Unassigned
linux-lts-quantal (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-raring (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Vivid
New
Undecided
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-saucy (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Vivid
New
Undecided
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-trusty (Ubuntu)
Invalid
High
Unassigned
Precise
Fix Released
High
Unassigned
Trusty
Invalid
High
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-utopic (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Fix Released
High
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-vivid (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Fix Released
High
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-wily (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Fix Released
High
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-xenial (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Vivid
New
Undecided
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-mako (Ubuntu)
New
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Vivid
New
Undecided
Unassigned
Wily
New
High
Unassigned
Xenial
New
High
Unassigned
Yakkety
New
High
Unassigned
linux-manta (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Vivid
New
Undecided
Unassigned
Wily
New
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-raspi2 (Ubuntu)
Fix Released
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Fix Released
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-snapdragon (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Vivid
New
Undecided
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-ti-omap4 (Ubuntu)
Invalid
High
Unassigned
Precise
Won't Fix
High
Unassigned
Trusty
Invalid
High
Unassigned
Vivid
Won't Fix
Undecided
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned

Bug Description

On Ubuntu Wily it is possible to place an USERNS overlayfs mount over a fuse mount. The fuse filesystem may contain SUID binaries, but those cannot be executed due to nosuid mount options. But when touching such an SUID binary via overlayfs mount, this will trigger copy_up including all file attributes, thus creating a real SUID binary on the disk.

Sequence:
* Mount fuse filesystem exposing one world writable SUID binary
* Create USERNS
* Mount overlayfs on top of fuse
* open the SUID binary RDWR in overlayfs, thus triggering copy_up

Afterwards the SUID binary can be invoked to gain root privileges.

For additional information, test tool see http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/ (InvitedOnly/3YD9ufze) and attached sharing policy.

$ lsb_release -rd
Description: Ubuntu 15.10
Release: 15.10

$ apt-cache policy linux-image-4.2.0-23-generic
linux-image-4.2.0-23-generic:
  Installed: 4.2.0-23.28
  Candidate: 4.2.0-23.28
  Version table:
 *** 4.2.0-23.28 0
        500 http://archive.ubuntu.com/ubuntu/ wily-updates/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ wily-security/main amd64 Packages
        100 /var/lib/dpkg/status

Revision history for this message
Tyler Hicks (tyhicks) wrote :

I haven't verified this bug report but wanted to mention my initial thoughts on it. An inode that is setuid and world writable is a valid inode. It should remain setuid until it is written to and, at that point, the setuid bit should be stripped. This is done by file_remove_privs(), which must be called by the function assigned to the .write_iter member of a filesystem's file_operations struct.

It sounds like this is possibly not happening on inodes that are copied up by overlayfs.

Revision history for this message
halfdog (halfdog) wrote :

Yes, maybe I have attributed the effects to the wrong cause (or made some mistake in testing). But I am not sure, if the path via .write_iter is really relevant to the issue also: SUID-bit/copy is done by the strange copy_up function, not normal SUID-bit preserving operation from user space.

Usually copy_up would only copy SUID-binaries, that were also "real" SUID binaries on the lower filesystem. But with fuse mounted as unprivileged user via fusermount and outside of any USERNS, fuse may "pretend" to include SUID binaries wth UID=0, but the mount itself is "nosuid" and private (no other UID can see the fuse-fs content). Overlayfs ignores the "nosuid" AND the private type of the lower filesystem, copies up the SUID-binary, thus creating a SUID-binary with arbitrary UID and content on the upper filesystem, which then can be executed by the unprivileged user outside USERNS to gain privileges.

Hence world writable SUID file should be just a red herring here, but not really important for the testcase.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 1535150] Re: overlayfs over fuse should refuse copy_up of files if uid/gid not mapped

Seth's upstream patchset adding the mounter's user_ns to the
superblock should help to implement the proper "ignore if
inode->i_[ug]id not mapped in inode->i_sb->s_userns" semantics. But it
is not yet accepted.

Revision history for this message
halfdog (halfdog) wrote : Re: overlayfs over fuse should refuse copy_up of files if uid/gid not mapped

Oh, that is great! Is the patch already available for review or even better, Is there a kernel .deb package to easily test it before being put online?

Revision history for this message
Seth Forshee (sforshee) wrote :

halfdog: The patch is currently in the for-testing branch of https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/. I have a more up-to-date branch with additional patches too, https://git.kernel.org/cgit/linux/kernel/git/sforshee/linux.git/ fuse-userns.

Revision history for this message
Seth Forshee (sforshee) wrote :

I've confirmed the bug, using fuseext2 to mount a filesystem containing an suid-root executable.

Tyler: file_remove_privs() only gets called on write. overlayfs copies up the file as soon as it is opened read/write, no writing necessary. The suid file gets copied into upperdir, then it can be executed from init_user_ns.

Revision history for this message
Seth Forshee (sforshee) wrote :

halfdog: I have some patches to fix both this bug and 1534961 for wily/xenial, I'm still working on a backport for trusty. There may still be one bug with them, but I wanted to go ahead and get them to you so you could try them out. I'm attaching the patches (based on wily, they need minor adjustments for xenial). I'll get you builds as soon as I can too, just not sure when that will be as I'm currently in transit.

Revision history for this message
Seth Forshee (sforshee) wrote :
Revision history for this message
Seth Forshee (sforshee) wrote :
Revision history for this message
Seth Forshee (sforshee) wrote :
Revision history for this message
Seth Forshee (sforshee) wrote :
Revision history for this message
Seth Forshee (sforshee) wrote :
Revision history for this message
Seth Forshee (sforshee) wrote :
Revision history for this message
Seth Forshee (sforshee) wrote :
Revision history for this message
Seth Forshee (sforshee) wrote :
Revision history for this message
Seth Forshee (sforshee) wrote :
Revision history for this message
halfdog (halfdog) wrote :

Checking wily: is this behavior intended?
* Mount fuse-fs to a/b/
* Enter namespace
* List content of a/b/ -> works
* Create overlay with lower=a to c
* DIrectory c/b/ (fuse mountpoint) now visible but not content of old a/b/ (fuse files)

I just can't see, which part of the patches allows this to work when lower=a/b but not with lower=a.

Revision history for this message
Seth Forshee (sforshee) wrote : Re: [Bug 1535150] Re: overlayfs over fuse should refuse copy_up of files if uid/gid not mapped

On Sun, Jan 31, 2016 at 08:07:44AM -0000, halfdog wrote:
> Checking wily: is this behavior intended?
> * Mount fuse-fs to a/b/
> * Enter namespace
> * List content of a/b/ -> works
> * Create overlay with lower=a to c
> * DIrectory c/b/ (fuse mountpoint) now visible but not content of old a/b/ (fuse files)
>
> I just can't see, which part of the patches allows this to work when
> lower=a/b but not with lower=a.

First, I'll point out that this behavior is not a result of these
patches. You'll get the same behavior running a kernel from the archive,
or if a/b/ is a loopback mount instead of a fuse mount.

I'd have to look into it more to be certain, but I'm pretty sure this is
because overlayfs creates a private clone of the mount of lowerdir (and
upperdir as well) but does not clone the child mounts of that mount.
When your filesystem is mounted on lowerdir itself it's this mount that
gets cloned, thus the files are there. When it's mounted in a
subdirectory your fuse mount does not get cloned thus you do not see it
in the overlayfs mount.

Revision history for this message
halfdog (halfdog) wrote : Re: overlayfs over fuse should refuse copy_up of files if uid/gid not mapped

You are right, also checked the older kernels, seems that I did not notice that behavior on first test run.

Went through all my test cases and tried to spot any errors in your patches, but found nothing. Brilliant work!

Revision history for this message
halfdog (halfdog) wrote :
description: updated
Tyler Hicks (tyhicks)
Changed in linux (Ubuntu):
status: New → Confirmed
importance: Undecided → Critical
Revision history for this message
J. R. Okajima (hooanon05) wrote :

The security bug hunter halfdog kindly invited me here.

These 6 patches using the mounter's cred are interesting approach, but I have a question.
- mount(2) requires CAP_SYS_ADMIN only. CAP_CHOWN is not necessary.
- the internal copy-up requires CAP_CHOWN. CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_CHOWN, and CAP_MKNOD.

When the mounter doesn't have CAP_CHOWN and others, can a user open the file which is owned by another user?

Unfortunately my machine environment doesn't allow me to test it by myself.

Revision history for this message
Seth Forshee (sforshee) wrote : Re: [Bug 1535150] Re: overlayfs over fuse should refuse copy_up of files if uid/gid not mapped

On Wed, Feb 17, 2016 at 07:11:57AM -0000, J. R. Okajima wrote:
> The security bug hunter halfdog kindly invited me here.
>
> These 6 patches using the mounter's cred are interesting approach, but I have a question.
> - mount(2) requires CAP_SYS_ADMIN only. CAP_CHOWN is not necessary.
> - the internal copy-up requires CAP_CHOWN. CAP_DAC_OVERRIDE, CAP_FOWNER, CAP_FSETID, CAP_CHOWN, and CAP_MKNOD.

Yes, mount(2) requires CAP_SYS_ADMIN only. Any access to files and
directories in the mounted filesystem are subject to DAC checks on the
relevant inodes, see inode_permission(). This eventually results in
calling generic_permission(). You can see there that there are
capability checks for either CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH,
depending on context, to allow operations which otherwise would not be
permitted by DAC.

Note that for overlayfs ovl_permission() gets called from
do_inode_permission(), which in turn checks permissions on the relevant
inode from the upper or lower mount.

With respect to CAP_CHOWN, this gets checked in inode_change_ok() when
changing inode attributes. You can see that ovl_setattr() calls this
without holding any elevated privileges.

> When the mounter doesn't have CAP_CHOWN and others, can a user open the
> file which is owned by another user?

Normal users will be subject to DAC (and MAC for that matter) when
attempting to open any file. As I explained above, a user with either
CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH in the user namespace of the
mount namespace to which the mount belongs may not be subject to DAC in
many circumstances.

The cases where overlayfs takes on additional capabilities are after
DAC/MAC checks have completed. In essence these are taken for operations
done by the kernel in upperdir in order to satisfy the user request
which the vfs has already allowed in the overlayfs mount.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote : Re: overlayfs over fuse should refuse copy_up of files if uid/gid not mapped

This is CVE-2016-1576

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (43.7 KiB)

This bug was fixed in the package linux - 4.2.0-30.35

---------------
linux (4.2.0-30.35) wily; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of selectively
    raising caps
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
    xattrs
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576

linux (4.2.0-29.34) wily; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1543167

  [ Brad Figg ]

  * Revert "SAUCE: apparmor: fix sleep from invalid context"
    - LP: #1542049

  [ Upstream Kernel Changes ]

  * Revert "af_unix: Revert 'lock_interruptible' in stream receive code"
    - LP: #1540731

linux (4.2.0-28.33) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1540634

  [ Brad Figg ]

  * CONFIG: CONFIG_DEBUG_UART_BCM63XX is not set

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
    - LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
    - LP: #1533043

  [ John Johansen ]

  * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
    being shutdown
    - LP: #1446906
  * SAUCE: apparmor: fix sleep from invalid context
    - LP: #1539349

  [ Tim Gardner ]

  * [Config] Add pvpanic to virtual flavour
    - LP: #1537923

  [ Upstream Kernel Changes ]

  * Revert "ACPI / LPSS: allow to use specific PM domain during ->probe()"
    - LP: #1540532
  * tools: Add a "make all" rule
    - LP: #1536370
  * vf610_adc: Fix internal temperature calculation
    - LP: #1536370
  * iio: lpc32xx_adc: fix warnings caused by enabling unprepared clock
    - LP: #1536370
  * iio:ad5064: Make sure ad5064_i2c_write() returns 0 on success
    - LP: #1536370
  * iio: ad5064: Fix ad5629/ad5669 shift
    - LP: #1536370
  * iio:ad7793: Fix ad7785 product ID
    - LP: #1536370
  * iio: adc: vf610_adc: Fix division by zero error
    - LP: #1536370
  * mmc: mmc: Improve reliability of mmc_select_hs200()
    - LP: #1536370
  * mmc: mmc: Fix HS setting in mmc_select_hs400()
    - LP: #1536370
  * mmc: mmc: Move mmc_switch_status()
    - LP: #1536370
  * mmc: mmc: Improve reliability of mmc_select_hs400()
    - LP: #1536370
  * crypto: qat - don't use userspace pointer
    - LP: #1536370
  * iio: si7020: Swap data byte order
    - LP: #1536370
  * iio: adc: xilinx: Fix VREFN scale
    - LP: #1536370
  * ipmi: Start the timer and thread on internal msgs
    - LP: #1536370
  * drm/i915: quirk backlight present on Macbook 4, 1
    - LP: #1536370
  * drm/i915: get runtime PM reference around GEM set_caching IOCTL
    - LP: #1536370
  * drm/radeon: Disable uncacheable CPU mappings of GTT with RV6xx
    - LP: #1536370
  *...

Changed in linux (Ubuntu Wily):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (12.3 KiB)

This bug was fixed in the package linux - 3.19.0-51.57

---------------
linux (3.19.0-51.57) vivid; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of selectively
    raising caps
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
    xattrs
    - LP: #1531747, #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576

linux (3.19.0-50.56) vivid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1540576

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
    - LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
    - LP: #1533043

  [ John Johansen ]

  * SAUCE: (no-up): apparmor: fix for failed mediation of socket that is
    being shutdown
    - LP: #1446906

  [ Upstream Kernel Changes ]

  * drivers/base/memory.c: fix kernel warning during memory hotplug on
    ppc64
    - LP: #1463654
  * sched/wait: Fix signal handling in bit wait helpers
    - LP: #1537859
  * sched/wait: Fix the signal handling fix
    - LP: #1537859
  * ARC: Fix silly typo in MAINTAINERS file
    - LP: #1537859
  * ip6mr: call del_timer_sync() in ip6mr_free_table()
    - LP: #1537859
  * gre6: allow to update all parameters via rtnl
    - LP: #1537859
  * atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
    - LP: #1537859
  * sctp: use the same clock as if sock source timestamps were on
    - LP: #1537859
  * sctp: update the netstamp_needed counter when copying sockets
    - LP: #1537859
  * sctp: also copy sk_tsflags when copying the socket
    - LP: #1537859
  * net: qca_spi: fix transmit queue timeout handling
    - LP: #1537859
  * ipv6: sctp: clone options to avoid use after free
    - LP: #1537859
  * net: add validation for the socket syscall protocol argument
    - LP: #1537859
  * sh_eth: fix kernel oops in skb_put()
    - LP: #1537859
  * net: fix IP early demux races
    - LP: #1537859
  * vlan: Fix untag operations of stacked vlans with REORDER_HEADER off
    - LP: #1537859
  * skbuff: Fix offset error in skb_reorder_vlan_header
    - LP: #1537859
  * pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
    - LP: #1537859
  * bluetooth: Validate socket address length in sco_sock_bind().
    - LP: #1537859
  * fou: clean up socket with kfree_rcu
    - LP: #1537859
  * af_unix: Revert 'lock_interruptible' in stream receive code
    - LP: #1537859
  * KEYS: Fix race between read and revoke
    - LP: #1537859
  * tools: Add a "make all" rule
    - LP: #1537859
  * efi: Disable interrupts around EFI calls, not in the epilog/prolog
    calls
    - LP: #1537859
  * fuse: break infinite loop in fuse_fill_write_pages()
    - LP: #1537859
  * usb: gadget: pxa2...

Changed in linux (Ubuntu Vivid):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (9.5 KiB)

This bug was fixed in the package linux - 3.13.0-79.123

---------------
linux (3.13.0-79.123) trusty; urgency=low

  [ Seth Forshee ]

  * SAUCE: cred: Add clone_cred() interface
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Use mounter's credentials instead of full kernel
    credentials
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.*
    xattrs
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Be more careful about copying up sxid files
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576
  * SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
    - LP: #1534961, #1535150
    - CVE-2016-1575 CVE-2016-1576

linux (3.13.0-78.122) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1540559

  [ Eric Dumazet ]

  * SAUCE: (no-up) udp: properly support MSG_PEEK with truncated buffers
    - LP: #1527902

  [ J. R. Okajima ]

  * SAUCE: ubuntu: aufs: tiny, extract a new func xino_fwrite_wkq()
    - LP: #1533043
  * SAUCE: ubuntu: aufs: for 4.3, XINO handles EINTR from the dying process
    - LP: #1533043

  [ Upstream Kernel Changes ]

  * Revert "[stable-only] net: add length argument to
    skb_copy_and_csum_datagram_iovec"
    - LP: #1538756
  * unregister_netdevice : move RTM_DELLINK to until after ndo_uninit
    - LP: #1525324
  * rtnetlink: delay RTM_DELLINK notification until after ndo_uninit()
    - LP: #1525324
  * Drivers: hv: Eliminate the channel spinlock in the callback path
    - LP: #1519897
  * Drivers: hv: vmbus: Implement per-CPU mapping of relid to channel
    - LP: #1519897
  * Drivers: hv: vmbus: Suport an API to send pagebuffers with additional
    control
    - LP: #1519897
  * Drivers: hv: vmbus: Suport an API to send packet with additional
    control
    - LP: #1519897
  * Drivers: hv: vmbus: Export the vmbus_sendpacket_pagebuffer_ctl()
    - LP: #1519897
  * Drivers: hv: vmbus: Fix a siganlling host signalling issue
    - LP: #1519897
  * Drivers: hv: vmbus: Fix a Host signaling bug
    - LP: #1519897
  * ARC: Fix silly typo in MAINTAINERS file
    - LP: #1538756
  * ip6mr: call del_timer_sync() in ip6mr_free_table()
    - LP: #1538756
  * gre6: allow to update all parameters via rtnl
    - LP: #1538756
  * atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
    - LP: #1538756
  * sctp: use the same clock as if sock source timestamps were on
    - LP: #1538756
  * sctp: update the netstamp_needed counter when copying sockets
    - LP: #1538756
  * ipv6: sctp: clone options to avoid use after free
    - LP: #1538756
  * net: add validation for the socket syscall protocol argument
    - LP: #1538756
  * sh_eth: fix kernel oops in skb_put()
    - LP: #1538756
  * pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
    - LP: #1538756
  * bluetooth: Validate socket address length in sco_sock_bind().
    - LP: #1538756
  * af_unix: Revert 'lock_interruptible' in stream receive code
    - LP: #1538756
  * KEYS: Fix race between read and revoke
    - LP: #1538756
  * tools: Add a "make all" rule
    - LP: #1538...

Read more...

Changed in linux (Ubuntu Trusty):
status: New → Fix Released
Steve Beattie (sbeattie)
information type: Private Security → Public Security
tags: added: patch
Steve Beattie (sbeattie)
tags: added: kernel-cve-skip-description
Changed in linux-lts-trusty (Ubuntu Precise):
status: New → Fix Released
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Trusty):
status: New → Fix Released
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux (Ubuntu Precise):
importance: Undecided → High
Changed in linux (Ubuntu Wily):
importance: Undecided → High
Changed in linux (Ubuntu Xenial):
importance: Critical → High
Changed in linux (Ubuntu Trusty):
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Precise):
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Precise):
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Trusty):
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Wily):
importance: Undecided → High
Changed in linux-manta (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-manta (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Trusty):
status: New → Fix Released
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Wily):
status: New → Fix Released
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Wily):
importance: Undecided → High
Changed in linux-mako (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-mako (Ubuntu Trusty):
status: New → Invalid
Steve Beattie (sbeattie)
Changed in linux-mako (Ubuntu Trusty):
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Trusty):
status: New → Fix Released
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Wily):
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Wily):
importance: Undecided → High
Changed in linux-flo (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-flo (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (10.1 KiB)

This bug was fixed in the package linux - 4.4.0-8.23

---------------
linux (4.4.0-8.23) xenial; urgency=low

  * cgroup namespace mounts broken in containers (LP: #1549398)
    - SAUCE: kernfs: Always set super block owner to init_user_ns

  * 4.4.0-7.22 no longer boots on arm64 (LP: #1547718)
    - arm64: mm: avoid calling apply_to_page_range on empty range
    - UBUNTU SAUCE: arm: mm: avoid calling apply_to_page_range on empty range

  * kernel install failed /bin/cp: cannot stat ‘/boot/initrd.img-4.3.0-7-generic’: No such file or directory (LP: #1536810)
    - [Config] postinst -- handle recreating symlinks when a real file is present

  * insecure overlayfs xattrs handling in copy_up (LP: #1534961)
    - SAUCE: cred: Add clone_cred() interface
    - SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
    - SAUCE: overlayfs: Be more careful about copying up sxid files
    - SAUCE: overlayfs: Propogate nosuid from lower and upper mounts

  * overlayfs over fuse should refuse copy_up of files if uid/gid not mapped (LP: #1535150)
    - SAUCE: cred: Add clone_cred() interface
    - SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
    - SAUCE: overlayfs: Be more careful about copying up sxid files
    - SAUCE: overlayfs: Propogate nosuid from lower and upper mounts

  * overlay: mkdir fails if directory exists in lowerdir in a user namespace (LP: #1531747)
    - SAUCE: cred: Add clone_cred() interface
    - SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
    - SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs

  * Update Intel ethernet drivers to Fortville SW5 (LP: #1547674)
    - net: bulk free infrastructure for NAPI context, use napi_consume_skb
    - net: Add eth_platform_get_mac_address() helper.
    - i40e: Add mac_filter_element at the end of the list instead of HEAD
    - i40e/i40evf: Fix RSS rx-flow-hash configuration through ethtool
    - i40e: Replace X722 mac check in ethtool get_settings
    - i40evf: allow channel bonding of VFs
    - i40e: define function capabilities in only one place
    - i40evf: null out ring pointers on free
    - i40e: Cleanup the code with respect to restarting autoneg
    - i40e: update features with right offload
    - i40e: bump version to 1.4.10
    - i40e: add new device IDs for X722
    - i40e: Extend ethtool RSS hooks for X722
    - i40e/i40evf: Fix for UDP/TCP RSS for X722
    - i40evf: add new write-back mode
    - i40e/i40evf: Use private workqueue
    - i40e: add new proxy-wol bit for X722
    - i40e: Limit DCB FW version checks to X710/XL710 devices
    - i40e: AQ Add Run PHY Activity struct
    - i40e: AQ Geneve cloud tunnel type
    - i40e: AQ Add external power class to get link status
    - i40e: add 100Mb ethtool reporting
    - ixgbe: bulk free SKBs during TX completion cleanup cycle
    - igb: Remove unnecessary flag setting in igb_set_flag_queue_pairs()
    - igb: Unpair the queues when changing the number of queues...

Changed in linux (Ubuntu Xenial):
status: Confirmed → Fix Released
Steve Beattie (sbeattie)
Changed in linux-lts-xenial (Ubuntu Trusty):
status: New → Invalid
Changed in linux-raspi2 (Ubuntu Xenial):
status: New → Invalid
Steve Beattie (sbeattie)
Changed in linux-manta (Ubuntu Xenial):
status: New → Invalid
Steve Beattie (sbeattie)
Changed in linux-snapdragon (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Steve Beattie (sbeattie)
tags: added: kernel-cve-tracking-bug
Mathew Hodson (mhodson)
Changed in linux (Ubuntu Vivid):
importance: Undecided → High
Mathew Hodson (mhodson)
summary: - overlayfs over fuse should refuse copy_up of files if uid/gid not mapped
+ CVE-2016-1576
Changed in linux (Ubuntu Yakkety):
status: Fix Released → Invalid
Andy Whitcroft (apw)
Changed in linux (Ubuntu Yakkety):
status: Invalid → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package linux - 4.8.0-11.12

---------------
linux (4.8.0-11.12) yakkety; urgency=low

  * change_hat is logging failures during expected hat probing (LP: #1615893)
    - SAUCE: apparmor: Fix auditing behavior for change_hat probing

  * deleted files outside of the namespace are not being treated as
    disconnected
    (LP: #1615892)
    - SAUCE: apparmor: deleted dentries can be disconnected

  * stacking to unconfined in a child namespace confuses mediation
    (LP: #1615890)
    - SAUCE: apparmor: special case unconfined when determining the mode

  * apparmor module parameters can be changed after the policy is locked
    (LP: #1615895)
    - SAUCE: apparmor: fix: parameters can be changed after policy is locked

  * AppArmor profile reloading causes an intermittent kernel BUG (LP:
    #1579135)
    - SAUCE: apparmor: fix vec_unique for vectors larger than 8

  * label vec reductions can result in reference labels instead of direct
    access
    to labels (LP: #1615889)
    - SAUCE: apparmor: reduction of vec to single entry is just that entry

  * profiles from different namespaces can block other namespaces from being
    able to load a profile (LP: #1615887)
    - SAUCE: apparmor: profiles in one ns can affect mediation in another ns

  * The label build for onexec when stacking is wrong (LP: #1615881)
    - SAUCE: apparmor: Fix label build for onexec stacking.

  * The inherit check for new to old label comparison for domain transitions
    is
    wrong (LP: #1615880)
    - SAUCE: apparmor: Fix new to old label comparison for domain transitions

  * warning stack trace while playing with apparmor namespaces (LP: #1593874)
    - SAUCE: apparmor: fix stack trace when removing namespace with profiles

  * __label_update proxy comparison test is wrong (LP: #1615878)
    - SAUCE: apparmor: Fix __label_update proxy comparison test

  * reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
    (LP: #1560583)
    - SAUCE: apparmor: Allow ns_root processes to open profiles file
    - SAUCE: apparmor: Consult sysctl when reading profiles in a user ns

  * policy namespace stacking (LP: #1379535)
    - SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
    - SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading

  * Miscellaneous Ubuntu changes
    - [Debian] Dynamically determine linux udebs package name
    - [Debian] d-i -- fix dtb handling in new kernel-wedge form
    - SAUCE: apparmor: Fix FTBFS due to bad include path
    - SAUCE: apparmor: add data query support
    - [Config] Set CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y

  * Miscellaneous upstream changes
    - fixup backout policy view capable for forward port
    - apparmor: fix: Rework the iter loop for label_update
    - apparmor: add more assertions for updates/merges to help catch errors
    - apparmor: Make pivot root transitions work with stacking
    - apparmor: convert delegating deleted files to mediate deleted files
    - apparmor: add missing parens. not a bug fix but highly recommended
    - apparmor: add a stack_version file to allow detection of bug fixes
    - apparmor: push path looku...

Read more...

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (17.3 KiB)

This bug was fixed in the package linux-raspi2 - 4.10.0-1001.3

---------------
linux-raspi2 (4.10.0-1001.3) zesty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1673826

  * Rebased against Ubuntu-4.10.0-14.16
  * Updated BSP from https://github.com/raspberrypi/linux.git rpi-4.10.y
    to commit 8703162f0a3d04c74beb96973bf4180c14a08272

  * msleep() bug causes Nuvoton I2C TPM device driver delays (LP: #1667567)
    - tpm: msleep() delays - replace with usleep_range() in i2c nuvoton driver
    - SAUCE: tpm: add sleep only for retry in i2c_nuvoton_write_status()

  * C++ demangling support missing from perf (LP: #1396654)
    - [Config] added binutils-dev to Build-deps

  * dm-queue-length module is not included in installer/initramfs (LP: #1673350)
    - [Config] d-i: Also add dm-queue-length to multipath modules

  * move aufs.ko from -extra to linux-image package (LP: #1673498)
    - [config] aufs.ko moved to linux-image package

  * Using an NVMe drive causes huge power drain (LP: #1664602)
    - nvme: Add a quirk mechanism that uses identify_ctrl
    - nvme: Enable autonomous power state transitions

  * Broadcom bluetooth modules sometimes fail to initialize (LP: #1483101)
    - Bluetooth: btbcm: Add a delay for module reset

  * Need support of Broadcom bluetooth device [413c:8143] (LP: #1166113)
    - Bluetooth: btusb: Add support for 413c:8143

  * Zesty update to v4.10.3 stable release (LP: #1673118)
    - serial: 8250_pci: Add MKS Tenta SCOM-0800 and SCOM-0801 cards
    - KVM: s390: Disable dirty log retrieval for UCONTROL guests
    - KVM: VMX: use correct vmcs_read/write for guest segment selector/base
    - Bluetooth: Add another AR3012 04ca:3018 device
    - phy: qcom-ufs: Don't kfree devres resource
    - phy: qcom-ufs: Fix misplaced jump label
    - s390/qdio: clear DSCI prior to scanning multiple input queues
    - s390/dcssblk: fix device size calculation in dcssblk_direct_access()
    - s390/kdump: Use "LINUX" ELF note name instead of "CORE"
    - s390/chsc: Add exception handler for CHSC instruction
    - s390: TASK_SIZE for kernel threads
    - s390/topology: correct allocation of topology information
    - s390: make setup_randomness work
    - s390: use correct input data address for setup_randomness
    - net: mvpp2: fix DMA address calculation in mvpp2_txq_inc_put()
    - cxl: Prevent read/write to AFU config space while AFU not configured
    - cxl: fix nested locking hang during EEH hotplug
    - brcmfmac: fix incorrect event channel deduction
    - mnt: Tuck mounts under others instead of creating shadow/side mounts.
    - IB/ipoib: Fix deadlock between rmmod and set_mode
    - IB/IPoIB: Add destination address when re-queue packet
    - IB/mlx5: Fix out-of-bound access
    - IB/SRP: Avoid using IB_MR_TYPE_SG_GAPS
    - IB/srp: Avoid that duplicate responses trigger a kernel bug
    - IB/srp: Fix race conditions related to task management
    - Btrfs: fix data loss after truncate when using the no-holes feature
    - orangefs: Use RCU for destroy_inode
    - memory/atmel-ebi: Fix ns <-> cycles conversions
    - tracing: Fix return value check in trace_benchmark_reg()
    - ktest: Fix child exi...

Changed in linux-raspi2 (Ubuntu):
status: Invalid → Fix Released
Revision history for this message
Andy Whitcroft (apw) wrote : Closing unsupported series nomination.

This bug was nominated against a series that is no longer supported, ie vivid. The bug task representing the vivid nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux-armadaxp (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-flo (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-goldfish (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-lts-quantal (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-lts-trusty (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-lts-utopic (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-lts-vivid (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-lts-wily (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-raspi2 (Ubuntu Vivid):
status: New → Won't Fix
Andy Whitcroft (apw)
Changed in linux-ti-omap4 (Ubuntu Vivid):
status: New → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in linux (Ubuntu Precise):
status: New → Won't Fix
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Won't Fix
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.