CVE-2014-5206

The do_remount function in fs/namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a mount -o remount command within a user namespace.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/122.html
• https://cwe.mitre.org/data/definitions/233.html
• https://cwe.mitre.org/data/definitions/58.html

References

• http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=a6138db815df5ee542d848318e5dae681590fccd
• http://www.openwall.com/lists/oss-security/2014/08/13/4
• http://www.securityfocus.com/bid/69214
• http://www.ubuntu.com/usn/USN-2317-1
• http://www.ubuntu.com/usn/USN-2318-1
• https://bugzilla.redhat.com/show_bug.cgi?id=1129662
• https://github.com/torvalds/linux/commit/a6138db815df5ee542d848318e5dae681590fccd