kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #163234
[Bug 1535150] Re: overlayfs over fuse should refuse copy_up of files if uid/gid not mapped
This bug was fixed in the package linux - 4.4.0-8.23
---------------
linux (4.4.0-8.23) xenial; urgency=low
* cgroup namespace mounts broken in containers (LP: #1549398)
- SAUCE: kernfs: Always set super block owner to init_user_ns
* 4.4.0-7.22 no longer boots on arm64 (LP: #1547718)
- arm64: mm: avoid calling apply_to_page_range on empty range
- UBUNTU SAUCE: arm: mm: avoid calling apply_to_page_range on empty range
* kernel install failed /bin/cp: cannot stat ‘/boot/initrd.img-4.3.0-7-generic’: No such file or directory (LP: #1536810)
- [Config] postinst -- handle recreating symlinks when a real file is present
* insecure overlayfs xattrs handling in copy_up (LP: #1534961)
- SAUCE: cred: Add clone_cred() interface
- SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
- SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
- SAUCE: overlayfs: Be more careful about copying up sxid files
- SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
* overlayfs over fuse should refuse copy_up of files if uid/gid not mapped (LP: #1535150)
- SAUCE: cred: Add clone_cred() interface
- SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
- SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
- SAUCE: overlayfs: Be more careful about copying up sxid files
- SAUCE: overlayfs: Propogate nosuid from lower and upper mounts
* overlay: mkdir fails if directory exists in lowerdir in a user namespace (LP: #1531747)
- SAUCE: cred: Add clone_cred() interface
- SAUCE: overlayfs: Use mounter's credentials instead of selectively raising caps
- SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
* Update Intel ethernet drivers to Fortville SW5 (LP: #1547674)
- net: bulk free infrastructure for NAPI context, use napi_consume_skb
- net: Add eth_platform_get_mac_address() helper.
- i40e: Add mac_filter_element at the end of the list instead of HEAD
- i40e/i40evf: Fix RSS rx-flow-hash configuration through ethtool
- i40e: Replace X722 mac check in ethtool get_settings
- i40evf: allow channel bonding of VFs
- i40e: define function capabilities in only one place
- i40evf: null out ring pointers on free
- i40e: Cleanup the code with respect to restarting autoneg
- i40e: update features with right offload
- i40e: bump version to 1.4.10
- i40e: add new device IDs for X722
- i40e: Extend ethtool RSS hooks for X722
- i40e/i40evf: Fix for UDP/TCP RSS for X722
- i40evf: add new write-back mode
- i40e/i40evf: Use private workqueue
- i40e: add new proxy-wol bit for X722
- i40e: Limit DCB FW version checks to X710/XL710 devices
- i40e: AQ Add Run PHY Activity struct
- i40e: AQ Geneve cloud tunnel type
- i40e: AQ Add external power class to get link status
- i40e: add 100Mb ethtool reporting
- ixgbe: bulk free SKBs during TX completion cleanup cycle
- igb: Remove unnecessary flag setting in igb_set_flag_queue_pairs()
- igb: Unpair the queues when changing the number of queues
- igb/igbvf: don't give up
- igb: clean up code for setting MAC address
- igb: Refactor VFTA configuration
- igb: Allow asymmetric configuration of MTU versus Rx frame size
- igb: Do not factor VLANs into RLPML calculation
- igb: Always enable VLAN 0 even if 8021q is not loaded
- igb: Merge VLVF configuration into igb_vfta_set
- igb: Clean-up configuration of VF port VLANs
- igb: Add support for VLAN promiscuous with SR-IOV and NTUPLE
- igb: Drop unnecessary checks in transmit path
- igb: Enable use of "bridge fdb add" to set unicast table entries
- igb: Add workaround for VLAN tag stripping on 82576
- i40e: AQ Shared resource flags
- i40e: AQ Add set_switch_config
- i40e: AQ Add VXLAN-GPE tunnel type
- i40e: AQ thermal sensor control struct
- i40e: Bump AQ minor version to 1.5 for new FW features
- i40e: Store lan_vsi_idx and lan_vsi_id in the right size
- i40e: fix write-back-on-itr to work with legacy itr
- i40e: add counter for arq overflows
- i40e: add 20G speed for Tx bandwidth calculations
- i40e: refactor DCB function
- i40e: add a little more to an NVM update debug message
- i40evf: enable bus master after reset
- i40e: add netdev info to VSI dump
- i40e: remove VF device IDs from PF
- i40e: trivial: remove unnecessary local var
- i40e/i40evf: Bump i40e to 1.4.11 and i40evf to 1.4.7
- net: ixgbe: add minimal parser details for ixgbe
- i40e: trivial: drop duplicate definition
- i40e: trivial: fix missing space
- i40e: fix bug in dma sync
- i40e: do TSO only if CHECKSUM_PARTIAL is set
- i40e: allocate memory safer
- i40e: fix: do not sleep in netdev_ops
- i40e: APIs to Add/remove port mirroring rules
- i40e: negate PHY int mask bits
- i40e: drop unused function
- i40e: count allocation errors
- i40e: avoid large memcpy by assigning struct
- i40e/i40evf: bump version to 1.4.12/1.4.8
- i40e: Enable Geneve offload for FW API ver > 1.4 for XL710/X710 devices
- i40e: add priv flag for automatic rule eviction
- i40e: use eth_platform_get_mac_address()
- i40e: move sync_vsi_filters up in service_task
- i40e: Make the DCB firmware checks for X710/XL710 only
- i40e: set shared bit for multicast filters
- i40e: add VEB stat control and remove L2 cloud filter
- i40e: use new add_veb calling with VEB stats control
- i40e: Refactor force_wb and WB_ON_ITR functionality code
- i40evf: Change vf driver string to reflect all products i40evf supports
- i40e/i40evf: don't lose interrupts
- i40e/i40evf: try again after failure
- i40e: dump descriptor indexes in hex
- i40e/i40evf: use __GFP_NOWARN
- i40e/i40evf: use pages correctly in Rx
- i40e/i40evf: use logical operators, not bitwise
- i40e: properly show packet split status in debugfs
- i40e/i40evf: Bump version
- ixgbe: use u32 instead of __u32 in model header
- ixgbe: fix dates on header of ixgbe_model.h
- i40e: get rid of magic number
- i40e: drop unused debugfs file "dump"
- i40evf: support packet split receive
- i40e: trivial: cleanup use of pf->hw
- i40e: Add a SW workaround for lost interrupts
- i40e: Fix PROMISC mode for Multi-function per port (MFP) devices
- i40e: Removal of code which relies on BASE VEB SEID
- i40e/i40evf: avoid atomics
- i40e: Do not disable queues in the Legacy/MSI Interrupt handler
- i40e: expand comment
- i40e: better error reporting for nvmupdate
- i40evf: set adapter state on reset failure
- i40e: clean event descriptor before use
- i40e: When in promisc mode apply promisc mode to Tx Traffic as well
- i40e/i40evf: Bump i40e to 1.4.15 and i40evf to 1.4.11.
- i40e/i40evf: Drop outer checksum offload that was not requested
- i40e/i40evf: Use u64 values instead of casting them in TSO function
- i40e/i40evf: Factor out L4 header and checksum from L3 bits in TSO path
- i40e/i40evf: Consolidate all header changes into TSO function
- i40e/i40evf: Replace header pointers with unions of pointers in Tx checksum path
- i40e/i40evf: Add support for IPv4 encapsulated in IPv6
- i40e/i40evf: Handle IPv6 extension headers in checksum offload
- i40e/i40evf: Do not write to descriptor unless we complete
- i40e/i40evf: Add exception handling for Tx checksum
- i40e/i40evf: Clean-up Rx packet checksum handling
- i40e/i40evf: Enable support for SKB_GSO_UDP_TUNNEL_CSUM
- i40e: Fix ATR in relation to tunnels
- i40e: Do not drop support for IPv6 VXLAN or GENEVE tunnels
- i40e: Update feature flags to reflect newly enabled features
- i40evf: Update feature flags to reflect newly enabled features
- i40e: Add support for ATR w/ IPv6 extension headers
- i40e/i40evf: Break up xmit_descriptor_count from maybe_stop_tx
- i40e/i40evf: Rewrite logic for 8 descriptor per packet check
- i40e/i40evf: Move Tx checksum closer to TSO
- i40e: Add functions to blink led on 10GBaseT PHY
- i40e: Fix led blink capability for 10GBaseT PHY
- i40e: Increase timeout when checking GLGEN_RSTAT_DEVSTATE bit
- i40e: Do not wait for Rx queue disable in DCB reconfig
- i40e: Fix for unexpected messaging
- i40e: Expose some registers to program parser, FD and RSS logic
- i40e: add check for null VSI
- i40e: add adminq commands for Rx CTL registers
- i40e: implement and use Rx CTL helper functions
- i40e: Use the new rx ctl register helpers. Don't use AQ calls from clear_hw.
- i40e: suspend scheduling during driver unload
- i40e: let go of the past
- i40e/i40evf: Bump i40e to 1.4.25 and i40evf to 1.4.15
* MPT3SAS Driver update for next kernel release (LP: #1512221)
- mpt3sas: A correction in unmap_resources
- mpt3sas: Added support for high port count HBA variants.
- mpt3sas: Used IEEE SGL instead of MPI SGL while framing a SMP Passthrough request message.
- mpt3sas: Fix static analyzer(coverity) tool identified defects
- mpt3sas: Never block the Enclosure device
- mpt3sas: Make use of additional HighPriority credit message frames for sending SCSI IO's
- mpt3sas: Added smp_affinity_enable module parameter.
- mpt3sas: Add support for configurable Chain Frame Size
- mpt3sas: Updated MPI Header to 2.00.42
- mpt3sas: Fix for Asynchronous completion of timedout IO and task abort of timedout IO.
- mpt3sas: Updating mpt3sas driver version to 12.100.00.00
- mpt3sas: Remove cpumask_clear for zalloc_cpumask_var and don't free free_cpu_mask_var before reply_q
* /sys/class/scsi_host/hostN/partition_number and .../mad_version showing up BE on LE Ubuntu. (ibmvscsi) (LP: #1547153)
- ibmvscsi: Add endian conversions to sysfs attribute show functions
* Miscellaneous Ubuntu changes
- [Packaging] git-ubuntu-log -- output should be utf-8
- [Packaging] git-ubuntu-log -- handle invalid or private bugs
-- Andy Whitcroft <apw@xxxxxxxxxxxxx> Wed, 24 Feb 2016 20:34:49 +0000
** Changed in: linux (Ubuntu Xenial)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1535150
Title:
overlayfs over fuse should refuse copy_up of files if uid/gid not
mapped
Status in linux package in Ubuntu:
Fix Released
Status in linux-armadaxp package in Ubuntu:
Invalid
Status in linux-flo package in Ubuntu:
New
Status in linux-goldfish package in Ubuntu:
New
Status in linux-lts-quantal package in Ubuntu:
Invalid
Status in linux-lts-raring package in Ubuntu:
Invalid
Status in linux-lts-saucy package in Ubuntu:
Invalid
Status in linux-lts-trusty package in Ubuntu:
Invalid
Status in linux-lts-utopic package in Ubuntu:
Invalid
Status in linux-lts-vivid package in Ubuntu:
Invalid
Status in linux-lts-wily package in Ubuntu:
Invalid
Status in linux-lts-xenial package in Ubuntu:
Invalid
Status in linux-mako package in Ubuntu:
New
Status in linux-manta package in Ubuntu:
New
Status in linux-raspi2 package in Ubuntu:
New
Status in linux-ti-omap4 package in Ubuntu:
Invalid
Status in linux source package in Precise:
New
Status in linux-armadaxp source package in Precise:
New
Status in linux-flo source package in Precise:
Invalid
Status in linux-goldfish source package in Precise:
Invalid
Status in linux-lts-quantal source package in Precise:
Invalid
Status in linux-lts-raring source package in Precise:
Invalid
Status in linux-lts-saucy source package in Precise:
Invalid
Status in linux-lts-trusty source package in Precise:
Fix Released
Status in linux-lts-utopic source package in Precise:
Invalid
Status in linux-lts-vivid source package in Precise:
Invalid
Status in linux-lts-wily source package in Precise:
Invalid
Status in linux-lts-xenial source package in Precise:
Invalid
Status in linux-mako source package in Precise:
Invalid
Status in linux-manta source package in Precise:
Invalid
Status in linux-raspi2 source package in Precise:
Invalid
Status in linux-ti-omap4 source package in Precise:
New
Status in linux source package in Trusty:
Fix Released
Status in linux-armadaxp source package in Trusty:
Invalid
Status in linux-flo source package in Trusty:
Invalid
Status in linux-goldfish source package in Trusty:
Invalid
Status in linux-lts-quantal source package in Trusty:
Invalid
Status in linux-lts-raring source package in Trusty:
Invalid
Status in linux-lts-saucy source package in Trusty:
Invalid
Status in linux-lts-trusty source package in Trusty:
Invalid
Status in linux-lts-utopic source package in Trusty:
Fix Released
Status in linux-lts-vivid source package in Trusty:
Fix Released
Status in linux-lts-wily source package in Trusty:
Fix Released
Status in linux-lts-xenial source package in Trusty:
New
Status in linux-mako source package in Trusty:
Invalid
Status in linux-manta source package in Trusty:
Invalid
Status in linux-raspi2 source package in Trusty:
Invalid
Status in linux-ti-omap4 source package in Trusty:
Invalid
Status in linux source package in Vivid:
Fix Released
Status in linux-armadaxp source package in Vivid:
New
Status in linux-flo source package in Vivid:
New
Status in linux-goldfish source package in Vivid:
New
Status in linux-lts-quantal source package in Vivid:
New
Status in linux-lts-raring source package in Vivid:
New
Status in linux-lts-saucy source package in Vivid:
New
Status in linux-lts-trusty source package in Vivid:
New
Status in linux-lts-utopic source package in Vivid:
New
Status in linux-lts-vivid source package in Vivid:
New
Status in linux-lts-wily source package in Vivid:
New
Status in linux-lts-xenial source package in Vivid:
New
Status in linux-mako source package in Vivid:
New
Status in linux-manta source package in Vivid:
New
Status in linux-raspi2 source package in Vivid:
New
Status in linux-ti-omap4 source package in Vivid:
New
Status in linux source package in Wily:
Fix Released
Status in linux-armadaxp source package in Wily:
Invalid
Status in linux-flo source package in Wily:
New
Status in linux-goldfish source package in Wily:
New
Status in linux-lts-quantal source package in Wily:
Invalid
Status in linux-lts-raring source package in Wily:
Invalid
Status in linux-lts-saucy source package in Wily:
Invalid
Status in linux-lts-trusty source package in Wily:
Invalid
Status in linux-lts-utopic source package in Wily:
Invalid
Status in linux-lts-vivid source package in Wily:
Invalid
Status in linux-lts-wily source package in Wily:
Invalid
Status in linux-lts-xenial source package in Wily:
Invalid
Status in linux-mako source package in Wily:
New
Status in linux-manta source package in Wily:
New
Status in linux-raspi2 source package in Wily:
Fix Released
Status in linux-ti-omap4 source package in Wily:
Invalid
Status in linux source package in Xenial:
Fix Released
Status in linux-armadaxp source package in Xenial:
Invalid
Status in linux-flo source package in Xenial:
New
Status in linux-goldfish source package in Xenial:
New
Status in linux-lts-quantal source package in Xenial:
Invalid
Status in linux-lts-raring source package in Xenial:
Invalid
Status in linux-lts-saucy source package in Xenial:
Invalid
Status in linux-lts-trusty source package in Xenial:
Invalid
Status in linux-lts-utopic source package in Xenial:
Invalid
Status in linux-lts-vivid source package in Xenial:
Invalid
Status in linux-lts-wily source package in Xenial:
Invalid
Status in linux-lts-xenial source package in Xenial:
Invalid
Status in linux-mako source package in Xenial:
New
Status in linux-manta source package in Xenial:
New
Status in linux-raspi2 source package in Xenial:
New
Status in linux-ti-omap4 source package in Xenial:
Invalid
Bug description:
On Ubuntu Wily it is possible to place an USERNS overlayfs mount over
a fuse mount. The fuse filesystem may contain SUID binaries, but those
cannot be executed due to nosuid mount options. But when touching such
an SUID binary via overlayfs mount, this will trigger copy_up
including all file attributes, thus creating a real SUID binary on the
disk.
Sequence:
* Mount fuse filesystem exposing one world writable SUID binary
* Create USERNS
* Mount overlayfs on top of fuse
* open the SUID binary RDWR in overlayfs, thus triggering copy_up
Afterwards the SUID binary can be invoked to gain root privileges.
For additional information, test tool see
http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/
(InvitedOnly/3YD9ufze) and attached sharing policy.
$ lsb_release -rd
Description: Ubuntu 15.10
Release: 15.10
$ apt-cache policy linux-image-4.2.0-23-generic
linux-image-4.2.0-23-generic:
Installed: 4.2.0-23.28
Candidate: 4.2.0-23.28
Version table:
*** 4.2.0-23.28 0
500 http://archive.ubuntu.com/ubuntu/ wily-updates/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu/ wily-security/main amd64 Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1535150/+subscriptions
