[linux] 01/02: vfs: Fix possible escape from mount namespace or chroot (CVE-2015-2925)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Oct 8 01:26:48 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch squeeze-security
in repository linux.
commit 49fc4574269554735b7aeff4dc9ff9fdf3d68b97
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Oct 8 01:07:24 2015 +0100
vfs: Fix possible escape from mount namespace or chroot (CVE-2015-2925)
---
debian/changelog | 3 +
...ache-handle-escaped-paths-in-prepend_path.patch | 80 ++++++++++++++
...-that-are-unreachable-from-their-mnt_root.patch | 116 +++++++++++++++++++++
debian/patches/series/48squeeze15 | 2 +
4 files changed, 201 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 01b9ef2..6cc26ab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,9 @@ linux-2.6 (2.6.32-48squeeze15) UNRELEASED; urgency=medium
* ipc/sem.c: fully initialize sem_array before making it visible
* ipc: Initialize msg/shm IPC objects before doing ipc_addid()
(CVE-2015-7613)
+ * vfs: Fix possible escape from mount namespace or chroot (CVE-2015-2925):
+ - dcache: Handle escaped paths in prepend_path
+ - vfs: Test for and handle paths that are unreachable from their mnt_root
-- Ben Hutchings <ben at decadent.org.uk> Fri, 02 Oct 2015 02:34:23 +0100
diff --git a/debian/patches/bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch b/debian/patches/bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
new file mode 100644
index 0000000..6df20c5
--- /dev/null
+++ b/debian/patches/bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
@@ -0,0 +1,80 @@
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Sat, 15 Aug 2015 13:36:12 -0500
+Subject: dcache: Handle escaped paths in prepend_path
+Origin: https://git.kernel.org/linus/cde93be45a8a90d8c264c776fab63487b5038a65
+
+A rename can result in a dentry that by walking up d_parent
+will never reach it's mnt_root. For lack of a better term
+I call this an escaped path.
+
+prepend_path is called by four different functions __d_path,
+d_absolute_path, d_path, and getcwd.
+
+__d_path only wants to see paths are connected to the root it passes
+in. So __d_path needs prepend_path to return an error.
+
+d_absolute_path similarly wants to see paths that are connected to
+some root. Escaped paths are not connected to any mnt_root so
+d_absolute_path needs prepend_path to return an error greater
+than 1. So escaped paths will be treated like paths on lazily
+unmounted mounts.
+
+getcwd needs to prepend "(unreachable)" so getcwd also needs
+prepend_path to return an error.
+
+d_path is the interesting hold out. d_path just wants to print
+something, and does not care about the weird cases. Which raises
+the question what should be printed?
+
+Given that <escaped_path>/<anything> should result in -ENOENT I
+believe it is desirable for escaped paths to be printed as empty
+paths. As there are not really any meaninful path components when
+considered from the perspective of a mount tree.
+
+So tweak prepend_path to return an empty path with an new error
+code of 3 when it encounters an escaped path.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+[bwh: For 2.6.32, implement the "(unreachable)" string in __d_path()]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/dcache.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/dcache.c b/fs/dcache.c
+index 44c0aeafcbc9..e1accce92f68 100644
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -1910,7 +1910,7 @@ char *__d_path(const struct path *path, struct path *root,
+ struct dentry *dentry = path->dentry;
+ struct vfsmount *vfsmnt = path->mnt;
+ char *end = buffer + buflen;
+- char *retval;
++ char *retval, *tail;
+
+ spin_lock(&vfsmount_lock);
+ prepend(&end, &buflen, "\0", 1);
+@@ -1923,6 +1923,7 @@ char *__d_path(const struct path *path, struct path *root,
+ /* Get '/' right */
+ retval = end-1;
+ *retval = '/';
++ tail = end;
+
+ for (;;) {
+ struct dentry * parent;
+@@ -1930,6 +1931,14 @@ char *__d_path(const struct path *path, struct path *root,
+ if (dentry == root->dentry && vfsmnt == root->mnt)
+ break;
+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
++ /* Escaped? */
++ if (dentry != vfsmnt->mnt_root) {
++ buflen += (tail - end);
++ end = tail;
++ prepend(&end, &buflen, "(unreachable)/", 14);
++ retval = end;
++ goto out;
++ }
+ /* Global root? */
+ if (vfsmnt->mnt_parent == vfsmnt) {
+ goto global_root;
diff --git a/debian/patches/bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch b/debian/patches/bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch
new file mode 100644
index 0000000..5689405
--- /dev/null
+++ b/debian/patches/bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch
@@ -0,0 +1,116 @@
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Sat, 15 Aug 2015 20:27:13 -0500
+Subject: vfs: Test for and handle paths that are unreachable from their mnt_root
+Origin: https://git.kernel.org/linus/397d425dc26da728396e66d392d5dcb8dac30c37
+
+In rare cases a directory can be renamed out from under a bind mount.
+In those cases without special handling it becomes possible to walk up
+the directory tree to the root dentry of the filesystem and down
+from the root dentry to every other file or directory on the filesystem.
+
+Like division by zero .. from an unconnected path can not be given
+a useful semantic as there is no predicting at which path component
+the code will realize it is unconnected. We certainly can not match
+the current behavior as the current behavior is a security hole.
+
+Therefore when encounting .. when following an unconnected path
+return -ENOENT.
+
+- Add a function path_connected to verify path->dentry is reachable
+ from path->mnt.mnt_root. AKA to validate that rename did not do
+ something nasty to the bind mount.
+
+ To avoid races path_connected must be called after following a path
+ component to it's next path component.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ fs/namei.c | 32 +++++++++++++++++++++++++++++---
+ 1 file changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/fs/namei.c b/fs/namei.c
+index 0d766d201200..6551acba2a2c 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -434,6 +434,24 @@ static struct dentry * cached_lookup(struct dentry * parent, struct qstr * name,
+ return dentry;
+ }
+
++/**
++ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root
++ * @path: nameidate to verify
++ *
++ * Rename can sometimes move a file or directory outside of a bind
++ * mount, path_connected allows those cases to be detected.
++ */
++static bool path_connected(const struct path *path)
++{
++ struct vfsmount *mnt = path->mnt;
++
++ /* Only bind mounts can have disconnected paths */
++ if (mnt->mnt_root == mnt->mnt_sb->s_root)
++ return true;
++
++ return is_subdir(path->dentry, mnt->mnt_root);
++}
++
+ /*
+ * Short-cut version of permission(), for calling by
+ * path_walk(), when dcache lock is held. Combines parts
+@@ -754,7 +772,7 @@ int follow_down(struct path *path)
+ return 0;
+ }
+
+-static __always_inline void follow_dotdot(struct nameidata *nd)
++static __always_inline int follow_dotdot(struct nameidata *nd)
+ {
+ set_root(nd);
+
+@@ -771,6 +789,8 @@ static __always_inline void follow_dotdot(struct nameidata *nd)
+ nd->path.dentry = dget(nd->path.dentry->d_parent);
+ spin_unlock(&dcache_lock);
+ dput(old);
++ if (unlikely(!path_connected(&nd->path)))
++ return -ENOENT;
+ break;
+ }
+ spin_unlock(&dcache_lock);
+@@ -788,6 +808,7 @@ static __always_inline void follow_dotdot(struct nameidata *nd)
+ nd->path.mnt = parent;
+ }
+ follow_mount(&nd->path);
++ return 0;
+ }
+
+ /*
+@@ -905,7 +926,9 @@ static int __link_path_walk(const char *name, struct nameidata *nd)
+ case 2:
+ if (this.name[1] != '.')
+ break;
+- follow_dotdot(nd);
++ err = follow_dotdot(nd);
++ if (err < 0)
++ goto out_nd_path_put;
+ inode = nd->path.dentry->d_inode;
+ /* fallthrough */
+ case 1:
+@@ -960,7 +983,9 @@ last_component:
+ case 2:
+ if (this.name[1] != '.')
+ break;
+- follow_dotdot(nd);
++ err = follow_dotdot(nd);
++ if (err < 0)
++ goto out_nd_path_put;
+ inode = nd->path.dentry->d_inode;
+ /* fallthrough */
+ case 1:
+@@ -1022,6 +1047,7 @@ out_dput:
+ path_put_conditional(&next, nd);
+ break;
+ }
++out_nd_path_put:
+ path_put(&nd->path);
+ return_err:
+ return err;
diff --git a/debian/patches/series/48squeeze15 b/debian/patches/series/48squeeze15
index e78a2c3..40e5013 100644
--- a/debian/patches/series/48squeeze15
+++ b/debian/patches/series/48squeeze15
@@ -2,3 +2,5 @@
+ bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch
+ bugfix/all/Initialize-msg-shm-IPC-objects-before-doing-ipc_addi.patch
++ bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
++ bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list