commit: 95d1112750ebfe84eba65df5f8d443a7bbee8ce0 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Fri Oct 17 11:43:19 2014 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Fri Oct 17 11:43:19 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/linux-patches.git;a=commit;h=95d11127
Prevent a leak of unreachable mounts. See bug #524848 --- 0000_README | 4 ++ ...-pivot_root-from-creating-a-loop-in-the-m.patch | 50 ++++++++++++++++++++++ 2 files changed, 54 insertions(+) diff --git a/0000_README b/0000_README index 82731ea..8ed607e 100644 --- a/0000_README +++ b/0000_README @@ -51,6 +51,10 @@ Patch: 1500_XATTR_USER_PREFIX.patch From: https://bugs.gentoo.org/show_bug.cgi?id=470644 Desc: Support for namespace user.pax.* on tmpfs. +Patch: 1510_mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch +From: https://bugs.gentoo.org/show_bug.cgi?id=524848 +Desc: Prevent a leak of unreachable mounts + Patch: 2400_kcopy-patch-for-infiniband-driver.patch From: Alexey Shvetsov <ale...@gentoo.org> Desc: Zero copy for infiniband psm userspace driver diff --git a/1510_mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch b/1510_mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch new file mode 100644 index 0000000..198d949 --- /dev/null +++ b/1510_mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch @@ -0,0 +1,50 @@ +From 0d0826019e529f21c84687521d03f60cd241ca7d Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebied...@xmission.com> +Date: Wed, 8 Oct 2014 10:42:27 -0700 +Subject: [PATCH] mnt: Prevent pivot_root from creating a loop in the mount + tree +Cc: mpag...@gentoo.org + +Andy Lutomirski recently demonstrated that when chroot is used to set +the root path below the path for the new ``root'' passed to pivot_root +the pivot_root system call succeeds and leaks mounts. + +In examining the code I see that starting with a new root that is +below the current root in the mount tree will result in a loop in the +mount tree after the mounts are detached and then reattached to one +another. Resulting in all kinds of ugliness including a leak of that +mounts involved in the leak of the mount loop. + +Prevent this problem by ensuring that the new mount is reachable from +the current root of the mount tree. + +[Added stable cc. Fixes CVE-2014-7970. --Andy] + +Cc: sta...@vger.kernel.org +Reported-by: Andy Lutomirski <l...@amacapital.net> +Reviewed-by: Andy Lutomirski <l...@amacapital.net> +Link: http://lkml.kernel.org/r/87bnpmihks....@x220.int.ebiederm.org +Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> +Signed-off-by: Andy Lutomirski <l...@amacapital.net> +Signed-off-by: Mike Pagano <mpag...@gentoo.org> +--- + fs/namespace.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/namespace.c b/fs/namespace.c +index ef42d9b..74647c2 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2820,6 +2820,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, + /* make sure we can reach put_old from new_root */ + if (!is_path_reachable(old_mnt, old.dentry, &new)) + goto out4; ++ /* make certain new is below the root */ ++ if (!is_path_reachable(new_mnt, new.dentry, &root)) ++ goto out4; + root_mp->m_count++; /* pin it so it won't go away */ + lock_mount_hash(); + detach_mnt(new_mnt, &parent_path); +-- +2.1.1 +
