[kernel] r22002 - in dists/sid/linux/debian: . patches patches/bugfix/all

[Ben Hutchings]

Author: benh
Date: Fri Oct 31 02:55:23 2014
New Revision: 22002

Log:
mnt: Prevent pivot_root from creating a loop in the mount tree (CVE-2014-7970)

Added:
   dists/sid/linux/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
Modified:
   dists/sid/linux/debian/changelog
   dists/sid/linux/debian/patches/series

Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog	Fri Oct 31 02:45:50 2014	(r22001)
+++ dists/sid/linux/debian/changelog	Fri Oct 31 02:55:23 2014	(r22002)
@@ -146,6 +146,8 @@
   * net: sctp: fix panic on duplicate ASCONF chunks (CVE-2014-3687)
   * net: sctp: fix remote memory pressure from excessive queueing
     (CVE-2014-3688)
+  * mnt: Prevent pivot_root from creating a loop in the mount tree
+    (CVE-2014-7970)
 
   [ Mauricio Faria de Oliveira ]
   * [ppc64el] Disable CONFIG_CMDLINE{,_BOOL} usage for setting consoles

Added: dists/sid/linux/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch	Fri Oct 31 02:55:23 2014	(r22002)
@@ -0,0 +1,42 @@
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Wed, 8 Oct 2014 10:42:27 -0700
+Subject: mnt: Prevent pivot_root from creating a loop in the mount tree
+Origin: https://git.kernel.org/linus/0d0826019e529f21c84687521d03f60cd241ca7d
+
+Andy Lutomirski recently demonstrated that when chroot is used to set
+the root path below the path for the new ``root'' passed to pivot_root
+the pivot_root system call succeeds and leaks mounts.
+
+In examining the code I see that starting with a new root that is
+below the current root in the mount tree will result in a loop in the
+mount tree after the mounts are detached and then reattached to one
+another.  Resulting in all kinds of ugliness including a leak of that
+mounts involved in the leak of the mount loop.
+
+Prevent this problem by ensuring that the new mount is reachable from
+the current root of the mount tree.
+
+[Added stable cc.  Fixes CVE-2014-7970.  --Andy]
+
+Cc: stable at vger.kernel.org
+Reported-by: Andy Lutomirski <luto at amacapital.net>
+Reviewed-by: Andy Lutomirski <luto at amacapital.net>
+Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+---
+ fs/namespace.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2842,6 +2842,9 @@ SYSCALL_DEFINE2(pivot_root, const char _
+ 	/* make sure we can reach put_old from new_root */
+ 	if (!is_path_reachable(old_mnt, old.dentry, &new))
+ 		goto out4;
++	/* make certain new is below the root */
++	if (!is_path_reachable(new_mnt, new.dentry, &root))
++		goto out4;
+ 	root_mp->m_count++; /* pin it so it won't go away */
+ 	lock_mount_hash();
+ 	detach_mnt(new_mnt, &parent_path);

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Fri Oct 31 02:45:50 2014	(r22001)
+++ dists/sid/linux/debian/patches/series	Fri Oct 31 02:55:23 2014	(r22002)
@@ -416,3 +416,4 @@
 bugfix/all/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch
 bugfix/all/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch
 bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch
+bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch