From 92bd6e5dd2c724076bc4001737b06f6f54d43498 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 31 Oct 2014 02:55:23 +0000 Subject: [PATCH] mnt: Prevent pivot_root from creating a loop in the mount tree (CVE-2014-7970) svn path=/dists/sid/linux/; revision=22002 --- debian/changelog | 2 + ...t_root-from-creating-a-loop-in-the-m.patch | 42 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 45 insertions(+) create mode 100644 debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch diff --git a/debian/changelog b/debian/changelog index f029ba803..3f872a6f2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -146,6 +146,8 @@ linux (3.16.7-1) UNRELEASED; urgency=medium * net: sctp: fix panic on duplicate ASCONF chunks (CVE-2014-3687) * net: sctp: fix remote memory pressure from excessive queueing (CVE-2014-3688) + * mnt: Prevent pivot_root from creating a loop in the mount tree + (CVE-2014-7970) [ Mauricio Faria de Oliveira ] * [ppc64el] Disable CONFIG_CMDLINE{,_BOOL} usage for setting consoles diff --git a/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch b/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch new file mode 100644 index 000000000..e2cccaadb --- /dev/null +++ b/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch @@ -0,0 +1,42 @@ +From: "Eric W. Biederman" +Date: Wed, 8 Oct 2014 10:42:27 -0700 +Subject: mnt: Prevent pivot_root from creating a loop in the mount tree +Origin: https://git.kernel.org/linus/0d0826019e529f21c84687521d03f60cd241ca7d + +Andy Lutomirski recently demonstrated that when chroot is used to set +the root path below the path for the new ``root'' passed to pivot_root +the pivot_root system call succeeds and leaks mounts. + +In examining the code I see that starting with a new root that is +below the current root in the mount tree will result in a loop in the +mount tree after the mounts are detached and then reattached to one +another. Resulting in all kinds of ugliness including a leak of that +mounts involved in the leak of the mount loop. + +Prevent this problem by ensuring that the new mount is reachable from +the current root of the mount tree. + +[Added stable cc. Fixes CVE-2014-7970. --Andy] + +Cc: stable@vger.kernel.org +Reported-by: Andy Lutomirski +Reviewed-by: Andy Lutomirski +Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Andy Lutomirski +--- + fs/namespace.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2842,6 +2842,9 @@ SYSCALL_DEFINE2(pivot_root, const char _ + /* make sure we can reach put_old from new_root */ + if (!is_path_reachable(old_mnt, old.dentry, &new)) + goto out4; ++ /* make certain new is below the root */ ++ if (!is_path_reachable(new_mnt, new.dentry, &root)) ++ goto out4; + root_mp->m_count++; /* pin it so it won't go away */ + lock_mount_hash(); + detach_mnt(new_mnt, &parent_path); diff --git a/debian/patches/series b/debian/patches/series index de304db59..e2ef87d8b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -416,3 +416,4 @@ bugfix/x86/KVM-x86-Emulator-fixes-for-eip-canonical-checks-on-n.patch bugfix/all/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch bugfix/all/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch +bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch