mnt: Prevent pivot_root from creating a loop in the mount tree (CVE-2014-7970)
svn path=/dists/sid/linux/; revision=22002
This commit is contained in:
parent
b6fc81e7d1
commit
92bd6e5dd2
|
@ -146,6 +146,8 @@ linux (3.16.7-1) UNRELEASED; urgency=medium
|
|||
* net: sctp: fix panic on duplicate ASCONF chunks (CVE-2014-3687)
|
||||
* net: sctp: fix remote memory pressure from excessive queueing
|
||||
(CVE-2014-3688)
|
||||
* mnt: Prevent pivot_root from creating a loop in the mount tree
|
||||
(CVE-2014-7970)
|
||||
|
||||
[ Mauricio Faria de Oliveira ]
|
||||
* [ppc64el] Disable CONFIG_CMDLINE{,_BOOL} usage for setting consoles
|
||||
|
|
42
debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
vendored
Normal file
42
debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
vendored
Normal file
|
@ -0,0 +1,42 @@
|
|||
From: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Date: Wed, 8 Oct 2014 10:42:27 -0700
|
||||
Subject: mnt: Prevent pivot_root from creating a loop in the mount tree
|
||||
Origin: https://git.kernel.org/linus/0d0826019e529f21c84687521d03f60cd241ca7d
|
||||
|
||||
Andy Lutomirski recently demonstrated that when chroot is used to set
|
||||
the root path below the path for the new ``root'' passed to pivot_root
|
||||
the pivot_root system call succeeds and leaks mounts.
|
||||
|
||||
In examining the code I see that starting with a new root that is
|
||||
below the current root in the mount tree will result in a loop in the
|
||||
mount tree after the mounts are detached and then reattached to one
|
||||
another. Resulting in all kinds of ugliness including a leak of that
|
||||
mounts involved in the leak of the mount loop.
|
||||
|
||||
Prevent this problem by ensuring that the new mount is reachable from
|
||||
the current root of the mount tree.
|
||||
|
||||
[Added stable cc. Fixes CVE-2014-7970. --Andy]
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Reported-by: Andy Lutomirski <luto@amacapital.net>
|
||||
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
|
||||
Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
|
||||
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
|
||||
---
|
||||
fs/namespace.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/fs/namespace.c
|
||||
+++ b/fs/namespace.c
|
||||
@@ -2842,6 +2842,9 @@ SYSCALL_DEFINE2(pivot_root, const char _
|
||||
/* make sure we can reach put_old from new_root */
|
||||
if (!is_path_reachable(old_mnt, old.dentry, &new))
|
||||
goto out4;
|
||||
+ /* make certain new is below the root */
|
||||
+ if (!is_path_reachable(new_mnt, new.dentry, &root))
|
||||
+ goto out4;
|
||||
root_mp->m_count++; /* pin it so it won't go away */
|
||||
lock_mount_hash();
|
||||
detach_mnt(new_mnt, &parent_path);
|
|
@ -416,3 +416,4 @@ bugfix/x86/KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch
|
|||
bugfix/all/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch
|
||||
bugfix/all/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch
|
||||
bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch
|
||||
bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
|
||||
|
|
Loading…
Reference in New Issue