[kernel] r22002 - in dists/sid/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at moszumanska.debian.org
Fri Oct 31 02:55:23 UTC 2014
Author: benh
Date: Fri Oct 31 02:55:23 2014
New Revision: 22002
Log:
mnt: Prevent pivot_root from creating a loop in the mount tree (CVE-2014-7970)
Added:
dists/sid/linux/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
Modified:
dists/sid/linux/debian/changelog
dists/sid/linux/debian/patches/series
Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog Fri Oct 31 02:45:50 2014 (r22001)
+++ dists/sid/linux/debian/changelog Fri Oct 31 02:55:23 2014 (r22002)
@@ -146,6 +146,8 @@
* net: sctp: fix panic on duplicate ASCONF chunks (CVE-2014-3687)
* net: sctp: fix remote memory pressure from excessive queueing
(CVE-2014-3688)
+ * mnt: Prevent pivot_root from creating a loop in the mount tree
+ (CVE-2014-7970)
[ Mauricio Faria de Oliveira ]
* [ppc64el] Disable CONFIG_CMDLINE{,_BOOL} usage for setting consoles
Added: dists/sid/linux/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch Fri Oct 31 02:55:23 2014 (r22002)
@@ -0,0 +1,42 @@
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Wed, 8 Oct 2014 10:42:27 -0700
+Subject: mnt: Prevent pivot_root from creating a loop in the mount tree
+Origin: https://git.kernel.org/linus/0d0826019e529f21c84687521d03f60cd241ca7d
+
+Andy Lutomirski recently demonstrated that when chroot is used to set
+the root path below the path for the new ``root'' passed to pivot_root
+the pivot_root system call succeeds and leaks mounts.
+
+In examining the code I see that starting with a new root that is
+below the current root in the mount tree will result in a loop in the
+mount tree after the mounts are detached and then reattached to one
+another. Resulting in all kinds of ugliness including a leak of that
+mounts involved in the leak of the mount loop.
+
+Prevent this problem by ensuring that the new mount is reachable from
+the current root of the mount tree.
+
+[Added stable cc. Fixes CVE-2014-7970. --Andy]
+
+Cc: stable at vger.kernel.org
+Reported-by: Andy Lutomirski <luto at amacapital.net>
+Reviewed-by: Andy Lutomirski <luto at amacapital.net>
+Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+---
+ fs/namespace.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2842,6 +2842,9 @@ SYSCALL_DEFINE2(pivot_root, const char _
+ /* make sure we can reach put_old from new_root */
+ if (!is_path_reachable(old_mnt, old.dentry, &new))
+ goto out4;
++ /* make certain new is below the root */
++ if (!is_path_reachable(new_mnt, new.dentry, &root))
++ goto out4;
+ root_mp->m_count++; /* pin it so it won't go away */
+ lock_mount_hash();
+ detach_mnt(new_mnt, &parent_path);
Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series Fri Oct 31 02:45:50 2014 (r22001)
+++ dists/sid/linux/debian/patches/series Fri Oct 31 02:55:23 2014 (r22002)
@@ -416,3 +416,4 @@
bugfix/all/net-sctp-fix-skb_over_panic-when-receiving-malformed.patch
bugfix/all/net-sctp-fix-panic-on-duplicate-ASCONF-chunks.patch
bugfix/all/net-sctp-fix-remote-memory-pressure-from-excessive-q.patch
+bugfix/all/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch
More information about the Kernel-svn-changes
mailing list