Description: The aio_mount function in fs/aio.c in the Linux kernel does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call.
References:
 http://source.android.com/security/bulletin/2017-02-01.html
Notes:
 carnil> possibly introduced by bb646cdb12e75d82258c2f2e7746d5952d3e321a
 carnil> needs check.
 bwh> I think carnil pasted the wrong hash above.  Anyway, I wrote a test
 bwh> program and verified this does affect 3.2 and 3.16.
 bwh> Dependencies for 3.16:
 bwh> 46b15caa7cb1 vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB
 bwh> 90f8572b0f02 vfs: Commit to never having exectuables on proc and sysfs.
 bwh> Alternately we could assign a filesystem type flag instead of a superblock
 bwh> internal flag.  This is not practical to fix for 3.2, where aio does not
 bwh> have a filesystem.
Bugs:
upstream: released (4.8-rc7) [22f6b4d34fcf039c63a94e7670e0da24f8575a5a]
4.9-upstream-stable: N/A "Fixed before branch point"
3.16-upstream-stable: released (3.16.43) [880366a6e2ef182c37b7c7317dc6d449f625b97d]
3.2-upstream-stable: ignored "changes required are too invasive"
sid: released (4.7.8-1)
3.16-jessie-security: released (3.16.43-1)
3.2-wheezy-security: ignored "changes required are too invasive"