The inodeinitowner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID.
{ "vanir_signatures": [ { "id": "CVE-2018-13405-91469ed2", "digest": { "length": 292.0, "function_hash": "74353457159367498983847058097463180715" }, "signature_version": "v1", "target": { "file": "fs/inode.c", "function": "inode_init_owner" }, "deprecated": false, "signature_type": "Function", "source": "https://github.com/torvalds/linux/commit/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7" }, { "id": "CVE-2018-13405-d55e9c5e", "digest": { "threshold": 0.9, "line_hashes": [ "56289590247260689716075216337893445230", "181881191910643226634036536992678615471", "286960857080910926976707544565713622832", "180019755580562937065312454050677812048", "18040660402559416350869630779882658664", "15544113592705489570894747151139159268" ] }, "signature_version": "v1", "target": { "file": "fs/inode.c" }, "deprecated": false, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7" }, { "id": "CVE-2018-13405-d708755a", "digest": { "length": 292.0, "function_hash": "74353457159367498983847058097463180715" }, "signature_version": "v1", "target": { "file": "fs/inode.c", "function": "inode_init_owner" }, "deprecated": false, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git@0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7" }, { "id": "CVE-2018-13405-dd480402", "digest": { "threshold": 0.9, "line_hashes": [ "56289590247260689716075216337893445230", "181881191910643226634036536992678615471", "286960857080910926976707544565713622832", "180019755580562937065312454050677812048", "18040660402559416350869630779882658664", "15544113592705489570894747151139159268" ] }, "signature_version": "v1", "target": { "file": "fs/inode.c" }, "deprecated": false, "signature_type": "Line", "source": "https://github.com/torvalds/linux/commit/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7" } ] }