blob: 2611cab04ca7683213f5ec4e50f003b565872a06 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
Description: The aio_mount function in fs/aio.c in the Linux kernel does not properly restrict execute access, which makes it easier for local users to bypass intended SELinux W^X policy restrictions, and consequently gain privileges, via an io_setup system call.
References:
http://source.android.com/security/bulletin/2017-02-01.html
Notes:
carnil> possibly introduced by bb646cdb12e75d82258c2f2e7746d5952d3e321a
carnil> needs check.
bwh> I think carnil pasted the wrong hash above. Anyway, I wrote a test
bwh> program and verified this does affect 3.2 and 3.16.
bwh> Dependencies for 3.16:
bwh> 46b15caa7cb1 vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB
bwh> 90f8572b0f02 vfs: Commit to never having exectuables on proc and sysfs.
bwh> Alternately we could assign a filesystem type flag instead of a superblock
bwh> internal flag. This is not practical to fix for 3.2, where aio does not
bwh> have a filesystem.
Bugs:
upstream: released (4.8-rc7) [22f6b4d34fcf039c63a94e7670e0da24f8575a5a]
4.9-upstream-stable: N/A "Fixed before branch point"
3.16-upstream-stable: released (3.16.43) [880366a6e2ef182c37b7c7317dc6d449f625b97d]
3.2-upstream-stable: ignored "changes required are too invasive"
sid: released (4.7.8-1)
3.16-jessie-security: released (3.16.43-1)
3.2-wheezy-security: ignored "changes required are too invasive"
|