mnt: Prevent pivot_root from creating a loop in the mount tree (CVE-2014-7970)

svn path=/dists/sid/linux/; revision=22002
2014-10-31 02:55:23 +00:00 · 2014-10-31 02:55:23 +00:00 · 92bd6e5dd2
parent b6fc81e7d1
commit 92bd6e5dd2
3 changed files with 45 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -146,6 +146,8 @@ linux (3.16.7-1) UNRELEASED; urgency=medium
  * net: sctp: fix panic on duplicate ASCONF chunks (CVE-2014-3687)
  * net: sctp: fix remote memory pressure from excessive queueing
    (CVE-2014-3688)
+  * mnt: Prevent pivot_root from creating a loop in the mount tree
+    (CVE-2014-7970)

  [ Mauricio Faria de Oliveira ]
  * [ppc64el] Disable CONFIG_CMDLINE{,_BOOL} usage for setting consoles
--- a/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
+++ b/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
@ -0,0 +1,42 @@
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 8 Oct 2014 10:42:27 -0700
+Subject: mnt: Prevent pivot_root from creating a loop in the mount tree
+Origin: https://git.kernel.org/linus/0d0826019e529f21c84687521d03f60cd241ca7d
+
+Andy Lutomirski recently demonstrated that when chroot is used to set
+the root path below the path for the new ``root'' passed to pivot_root
+the pivot_root system call succeeds and leaks mounts.
+
+In examining the code I see that starting with a new root that is
+below the current root in the mount tree will result in a loop in the
+mount tree after the mounts are detached and then reattached to one
+another.  Resulting in all kinds of ugliness including a leak of that
+mounts involved in the leak of the mount loop.
+
+Prevent this problem by ensuring that the new mount is reachable from
+the current root of the mount tree.
+
+[Added stable cc.  Fixes CVE-2014-7970.  --Andy]
+
+Cc: stable@vger.kernel.org
+Reported-by: Andy Lutomirski <luto@amacapital.net>
+Reviewed-by: Andy Lutomirski <luto@amacapital.net>
+Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+---
+ fs/namespace.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/namespace.c
+++ b/fs/namespace.c
+@@ -2842,6 +2842,9 @@ SYSCALL_DEFINE2(pivot_root, const char _
+ 	/* make sure we can reach put_old from new_root */
+ 	if (!is_path_reachable(old_mnt, old.dentry, &new))
+ 		goto out4;
+	/* make certain new is below the root */
+	if (!is_path_reachable(new_mnt, new.dentry, &root))
+		goto out4;
+ 	root_mp->m_count++; /* pin it so it won't go away */
+ 	lock_mount_hash();
+ 	detach_mnt(new_mnt, &parent_path);
--- a/debian/patches/series
+++ b/debian/patches/series
@ -416,3 +416,4 @@ bugfix/x86/KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch
 bugfix/all/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch
 bugfix/all/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch
 bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch
+bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch