[linux] 01/02: vfs: Fix possible escape from mount namespace or chroot (CVE-2015-2925)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Oct 8 01:26:48 UTC 2015 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch squeeze-security
in repository linux.

commit 49fc4574269554735b7aeff4dc9ff9fdf3d68b97
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Oct 8 01:07:24 2015 +0100

    vfs: Fix possible escape from mount namespace or chroot (CVE-2015-2925)
---
 debian/changelog                                   |   3 +
 ...ache-handle-escaped-paths-in-prepend_path.patch |  80 ++++++++++++++
 ...-that-are-unreachable-from-their-mnt_root.patch | 116 +++++++++++++++++++++
 debian/patches/series/48squeeze15                  |   2 +
 4 files changed, 201 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 01b9ef2..6cc26ab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,9 @@ linux-2.6 (2.6.32-48squeeze15) UNRELEASED; urgency=medium
   * ipc/sem.c: fully initialize sem_array before making it visible
   * ipc: Initialize msg/shm IPC objects before doing ipc_addid()
     (CVE-2015-7613)
+  * vfs: Fix possible escape from mount namespace or chroot (CVE-2015-2925):
+    - dcache: Handle escaped paths in prepend_path
+    - vfs: Test for and handle paths that are unreachable from their mnt_root
 
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 02 Oct 2015 02:34:23 +0100
 
diff --git a/debian/patches/bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch b/debian/patches/bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
new file mode 100644
index 0000000..6df20c5
--- /dev/null
+++ b/debian/patches/bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
@@ -0,0 +1,80 @@
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Sat, 15 Aug 2015 13:36:12 -0500
+Subject: dcache: Handle escaped paths in prepend_path
+Origin: https://git.kernel.org/linus/cde93be45a8a90d8c264c776fab63487b5038a65
+
+A rename can result in a dentry that by walking up d_parent
+will never reach it's mnt_root.  For lack of a better term
+I call this an escaped path.
+
+prepend_path is called by four different functions __d_path,
+d_absolute_path, d_path, and getcwd.
+
+__d_path only wants to see paths are connected to the root it passes
+in.  So __d_path needs prepend_path to return an error.
+
+d_absolute_path similarly wants to see paths that are connected to
+some root.  Escaped paths are not connected to any mnt_root so
+d_absolute_path needs prepend_path to return an error greater
+than 1.  So escaped paths will be treated like paths on lazily
+unmounted mounts.
+
+getcwd needs to prepend "(unreachable)" so getcwd also needs
+prepend_path to return an error.
+
+d_path is the interesting hold out.  d_path just wants to print
+something, and does not care about the weird cases.  Which raises
+the question what should be printed?
+
+Given that <escaped_path>/<anything> should result in -ENOENT I
+believe it is desirable for escaped paths to be printed as empty
+paths.  As there are not really any meaninful path components when
+considered from the perspective of a mount tree.
+
+So tweak prepend_path to return an empty path with an new error
+code of 3 when it encounters an escaped path.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+[bwh: For 2.6.32, implement the "(unreachable)" string in __d_path()]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/dcache.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/dcache.c b/fs/dcache.c
+index 44c0aeafcbc9..e1accce92f68 100644
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -1910,7 +1910,7 @@ char *__d_path(const struct path *path, struct path *root,
+ 	struct dentry *dentry = path->dentry;
+ 	struct vfsmount *vfsmnt = path->mnt;
+ 	char *end = buffer + buflen;
+-	char *retval;
++	char *retval, *tail;
+ 
+ 	spin_lock(&vfsmount_lock);
+ 	prepend(&end, &buflen, "\0", 1);
+@@ -1923,6 +1923,7 @@ char *__d_path(const struct path *path, struct path *root,
+ 	/* Get '/' right */
+ 	retval = end-1;
+ 	*retval = '/';
++	tail = end;
+ 
+ 	for (;;) {
+ 		struct dentry * parent;
+@@ -1930,6 +1931,14 @@ char *__d_path(const struct path *path, struct path *root,
+ 		if (dentry == root->dentry && vfsmnt == root->mnt)
+ 			break;
+ 		if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
++			/* Escaped? */
++			if (dentry != vfsmnt->mnt_root) {
++				buflen += (tail - end);
++				end = tail;
++				prepend(&end, &buflen, "(unreachable)/", 14);
++				retval = end;
++				goto out;
++			}
+ 			/* Global root? */
+ 			if (vfsmnt->mnt_parent == vfsmnt) {
+ 				goto global_root;
diff --git a/debian/patches/bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch b/debian/patches/bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch
new file mode 100644
index 0000000..5689405
--- /dev/null
+++ b/debian/patches/bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch
@@ -0,0 +1,116 @@
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Sat, 15 Aug 2015 20:27:13 -0500
+Subject: vfs: Test for and handle paths that are unreachable from their mnt_root
+Origin: https://git.kernel.org/linus/397d425dc26da728396e66d392d5dcb8dac30c37
+
+In rare cases a directory can be renamed out from under a bind mount.
+In those cases without special handling it becomes possible to walk up
+the directory tree to the root dentry of the filesystem and down
+from the root dentry to every other file or directory on the filesystem.
+
+Like division by zero .. from an unconnected path can not be given
+a useful semantic as there is no predicting at which path component
+the code will realize it is unconnected.  We certainly can not match
+the current behavior as the current behavior is a security hole.
+
+Therefore when encounting .. when following an unconnected path
+return -ENOENT.
+
+- Add a function path_connected to verify path->dentry is reachable
+  from path->mnt.mnt_root.  AKA to validate that rename did not do
+  something nasty to the bind mount.
+
+  To avoid races path_connected must be called after following a path
+  component to it's next path component.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ fs/namei.c | 32 +++++++++++++++++++++++++++++---
+ 1 file changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/fs/namei.c b/fs/namei.c
+index 0d766d201200..6551acba2a2c 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -434,6 +434,24 @@ static struct dentry * cached_lookup(struct dentry * parent, struct qstr * name,
+ 	return dentry;
+ }
+ 
++/**
++ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root
++ * @path: nameidate to verify
++ *
++ * Rename can sometimes move a file or directory outside of a bind
++ * mount, path_connected allows those cases to be detected.
++ */
++static bool path_connected(const struct path *path)
++{
++	struct vfsmount *mnt = path->mnt;
++
++	/* Only bind mounts can have disconnected paths */
++	if (mnt->mnt_root == mnt->mnt_sb->s_root)
++		return true;
++
++	return is_subdir(path->dentry, mnt->mnt_root);
++}
++
+ /*
+  * Short-cut version of permission(), for calling by
+  * path_walk(), when dcache lock is held.  Combines parts
+@@ -754,7 +772,7 @@ int follow_down(struct path *path)
+ 	return 0;
+ }
+ 
+-static __always_inline void follow_dotdot(struct nameidata *nd)
++static __always_inline int follow_dotdot(struct nameidata *nd)
+ {
+ 	set_root(nd);
+ 
+@@ -771,6 +789,8 @@ static __always_inline void follow_dotdot(struct nameidata *nd)
+ 			nd->path.dentry = dget(nd->path.dentry->d_parent);
+ 			spin_unlock(&dcache_lock);
+ 			dput(old);
++			if (unlikely(!path_connected(&nd->path)))
++				return -ENOENT;
+ 			break;
+ 		}
+ 		spin_unlock(&dcache_lock);
+@@ -788,6 +808,7 @@ static __always_inline void follow_dotdot(struct nameidata *nd)
+ 		nd->path.mnt = parent;
+ 	}
+ 	follow_mount(&nd->path);
++	return 0;
+ }
+ 
+ /*
+@@ -905,7 +926,9 @@ static int __link_path_walk(const char *name, struct nameidata *nd)
+ 			case 2:	
+ 				if (this.name[1] != '.')
+ 					break;
+-				follow_dotdot(nd);
++				err = follow_dotdot(nd);
++				if (err < 0)
++					goto out_nd_path_put;
+ 				inode = nd->path.dentry->d_inode;
+ 				/* fallthrough */
+ 			case 1:
+@@ -960,7 +983,9 @@ last_component:
+ 			case 2:	
+ 				if (this.name[1] != '.')
+ 					break;
+-				follow_dotdot(nd);
++				err = follow_dotdot(nd);
++				if (err < 0)
++					goto out_nd_path_put;
+ 				inode = nd->path.dentry->d_inode;
+ 				/* fallthrough */
+ 			case 1:
+@@ -1022,6 +1047,7 @@ out_dput:
+ 		path_put_conditional(&next, nd);
+ 		break;
+ 	}
++out_nd_path_put:
+ 	path_put(&nd->path);
+ return_err:
+ 	return err;
diff --git a/debian/patches/series/48squeeze15 b/debian/patches/series/48squeeze15
index e78a2c3..40e5013 100644
--- a/debian/patches/series/48squeeze15
+++ b/debian/patches/series/48squeeze15
@@ -2,3 +2,5 @@
 + bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch
 + bugfix/all/Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
 
++ bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
++ bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list