Description: Escape from sub-tree of bind-mounts
References:
 http://thread.gmane.org/gmane.linux.kernel.containers/28939/
 https://marc.info/?l=oss-security&m=142805871412239&w=2
Notes:
 bwh> This is usually dependent on having CAP_SYS_ADMIN in a user namespace
 bwh> (to change mounts), so not exploitable in older kernel versions.
 bwh> However, Eric Biederman says that some systems set up user sessions
 bwh> using chroots that are descendants of the user's home.  This bug
 bwh> allows escaping from such a chroot.
 jmm> Split from CVE-2014-9717:
 jmm> http://www.spinics.net/lists/linux-containers/msg30804.html (16/19)
 jmm> http://www.spinics.net/lists/linux-containers/msg30798.html (17/19)
 jmm> http://www.spinics.net/lists/linux-containers/msg30797.html (18/19)
 jmm> http://www.spinics.net/lists/linux-containers/msg30802.html (19/19)
 bwh> Finally fixed upstream in a somewhat simpler way.
Bugs:
upstream: released (4.3-rc1) [cde93be45a8a90d8c264c776fab63487b5038a65, 397d425dc26da728396e66d392d5dcb8dac30c37]
2.6.32-upstream-stable: released (2.6.32.69)
sid: released (4.2.1-1) [bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch, bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch]
3.16-jessie-security: released (3.16.7-ckt11-1+deb8u4) [bugfix/all/namei-lift-open-coded-terminate_walk-in-follow_dotdo.patch, bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch, bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch]
3.2-wheezy-security: released (3.2.68-1+deb7u5) [bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch, bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch]
2.6.32-squeeze-security: released (2.6.32-48squeeze16) [bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch, bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch]
3.16-upstream-stable: released (3.16.7-ckt19) [a75ff8a85153c785ff1ba70ba2a652f6c1f99a5b, 15b1989605d51fb1efb3728ba68e417c4ee02afb]
3.2-upstream-stable: released (3.2.72) [dcache-handle-escaped-paths-in-prepend_path.patch, vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch]