mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-04 12:20:49 -05:00
55 lines
2.1 KiB
Diff
55 lines
2.1 KiB
Diff
From c88f7bbd8026761a615c9969d186ffa2a1a3da3c Mon Sep 17 00:00:00 2001
|
|
From: "Eric W. Biederman" <ebiederm@xmission.com>
|
|
Date: Thu, 15 Jan 2015 17:49:27 +0000
|
|
Subject: [PATCH] mnt: Prevent pivot_root from creating a loop in the mount
|
|
tree
|
|
|
|
Andy Lutomirski recently demonstrated that when chroot is used to set
|
|
the root path below the path for the new ``root'' passed to pivot_root
|
|
the pivot_root system call succeeds and leaks mounts.
|
|
|
|
In examining the code I see that starting with a new root that is
|
|
below the current root in the mount tree will result in a loop in the
|
|
mount tree after the mounts are detached and then reattached to one
|
|
another. Resulting in all kinds of ugliness including a leak of that
|
|
mounts involved in the leak of the mount loop.
|
|
|
|
Prevent this problem by ensuring that the new mount is reachable from
|
|
the current root of the mount tree.
|
|
|
|
[Added stable cc. Fixes CVE-2014-7970. --Andy]
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Reported-by: Andy Lutomirski <luto@amacapital.net>
|
|
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
|
|
Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
|
|
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
|
|
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
|
|
(backported from commit 0d0826019e529f21c84687521d03f60cd241ca7d)
|
|
CVE-2014-7970
|
|
BugLink: http://bugs.launchpad.net/bugs/1383356
|
|
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
|
|
Acked-by: Stefan Bader <stefan.bader@canonical.com>
|
|
Acked-by: Andy Whitcroft <apw@canonical.com>
|
|
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
|
|
|
Change-Id: I0fe1d090eeb4765cc49401784e44a430f9585498
|
|
---
|
|
fs/namespace.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/fs/namespace.c b/fs/namespace.c
|
|
index 912d273d970..4f47629a4e0 100644
|
|
--- a/fs/namespace.c
|
|
+++ b/fs/namespace.c
|
|
@@ -2618,6 +2618,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
|
|
goto out4;
|
|
} else if (!is_subdir(old.dentry, new.dentry))
|
|
goto out4;
|
|
+ /* make certain new is below the root */
|
|
+ if (!is_path_reachable(new.mnt, new.dentry, &root))
|
|
+ goto out4;
|
|
br_write_lock(vfsmount_lock);
|
|
detach_mnt(new.mnt, &parent_path);
|
|
detach_mnt(root.mnt, &root_parent);
|