[linux] 02/02: vfs: Fix possible escape from mount namespace (CVE-2015-2925)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Sep 19 01:27:42 UTC 2015 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 98ab0b496f086a0e528da5d019c62bdfe5463b81
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Sep 19 03:11:36 2015 +0200

    vfs: Fix possible escape from mount namespace (CVE-2015-2925)
---
 debian/changelog                                   |   5 +
 ...ache-handle-escaped-paths-in-prepend_path.patch |  58 ++++++++++++
 ...open-coded-terminate_walk-in-follow_dotdo.patch |  66 +++++++++++++
 ...r-and-handle-paths-that-are-unreachable-f.patch | 103 +++++++++++++++++++++
 debian/patches/series                              |   3 +
 5 files changed, 235 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 1bdf892..fd2c151 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,11 @@ linux (3.16.7-ckt11-1+deb8u4) UNRELEASED; urgency=medium
   * aufs3: mmap: Fix races in madvise_remove() and sys_msync() (Closes: #796036)
   * RDS: verify the underlying transport exists before creating a connection
     (CVE-2015-6937)
+  * vfs: Fix possible escape from mount namespace (CVE-2015-2925):
+    - namei: lift (open-coded) terminate_walk() in follow_dotdot_rcu() into
+      callers
+    - dcache: Handle escaped paths in prepend_path
+    - vfs: Test for and handle paths that are unreachable from their mnt_root
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 09 Sep 2015 21:21:36 +0100
 
diff --git a/debian/patches/bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch b/debian/patches/bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
new file mode 100644
index 0000000..e038e06
--- /dev/null
+++ b/debian/patches/bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
@@ -0,0 +1,58 @@
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Sat, 15 Aug 2015 13:36:12 -0500
+Subject: dcache: Handle escaped paths in prepend_path
+Origin: https://git.kernel.org/linus/cde93be45a8a90d8c264c776fab63487b5038a65
+
+A rename can result in a dentry that by walking up d_parent
+will never reach it's mnt_root.  For lack of a better term
+I call this an escaped path.
+
+prepend_path is called by four different functions __d_path,
+d_absolute_path, d_path, and getcwd.
+
+__d_path only wants to see paths are connected to the root it passes
+in.  So __d_path needs prepend_path to return an error.
+
+d_absolute_path similarly wants to see paths that are connected to
+some root.  Escaped paths are not connected to any mnt_root so
+d_absolute_path needs prepend_path to return an error greater
+than 1.  So escaped paths will be treated like paths on lazily
+unmounted mounts.
+
+getcwd needs to prepend "(unreachable)" so getcwd also needs
+prepend_path to return an error.
+
+d_path is the interesting hold out.  d_path just wants to print
+something, and does not care about the weird cases.  Which raises
+the question what should be printed?
+
+Given that <escaped_path>/<anything> should result in -ENOENT I
+believe it is desirable for escaped paths to be printed as empty
+paths.  As there are not really any meaninful path components when
+considered from the perspective of a mount tree.
+
+So tweak prepend_path to return an empty path with an new error
+code of 3 when it encounters an escaped path.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ fs/dcache.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2909,6 +2909,13 @@ restart:
+ 
+ 		if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
+ 			struct mount *parent = ACCESS_ONCE(mnt->mnt_parent);
++			/* Escaped? */
++			if (dentry != vfsmnt->mnt_root) {
++				bptr = *buffer;
++				blen = *buflen;
++				error = 3;
++				break;
++			}
+ 			/* Global root? */
+ 			if (mnt != parent) {
+ 				dentry = ACCESS_ONCE(mnt->mnt_mountpoint);
diff --git a/debian/patches/bugfix/all/namei-lift-open-coded-terminate_walk-in-follow_dotdo.patch b/debian/patches/bugfix/all/namei-lift-open-coded-terminate_walk-in-follow_dotdo.patch
new file mode 100644
index 0000000..82d4dfa
--- /dev/null
+++ b/debian/patches/bugfix/all/namei-lift-open-coded-terminate_walk-in-follow_dotdo.patch
@@ -0,0 +1,66 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Mon, 4 May 2015 07:53:00 -0400
+Subject: namei: lift (open-coded) terminate_walk() in follow_dotdot_rcu() into
+ callers
+Origin: https://git.kernel.org/linus/70291aecc6aa228c1b3bb36a5f3efdb0af636042
+
+follow_dotdot_rcu() does an equivalent of terminate_walk() on failure;
+shifting it into callers makes for simpler rules and those callers
+already have terminate_walk() on other failure exits.
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+[bwh: Backported to 3.16: adjust context]
+---
+ fs/namei.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -1178,10 +1178,6 @@ static int follow_dotdot_rcu(struct name
+ 	return 0;
+ 
+ failed:
+-	nd->flags &= ~LOOKUP_RCU;
+-	if (!(nd->flags & LOOKUP_ROOT))
+-		nd->root.mnt = NULL;
+-	rcu_read_unlock();
+ 	return -ECHILD;
+ }
+ 
+@@ -1494,8 +1490,7 @@ static inline int handle_dots(struct nam
+ {
+ 	if (type == LAST_DOTDOT) {
+ 		if (nd->flags & LOOKUP_RCU) {
+-			if (follow_dotdot_rcu(nd))
+-				return -ECHILD;
++			return follow_dotdot_rcu(nd);
+ 		} else
+ 			follow_dotdot(nd);
+ 	}
+@@ -1535,8 +1530,12 @@ static inline int walk_component(struct
+ 	 * to be able to know about the current root directory and
+ 	 * parent relationships.
+ 	 */
+-	if (unlikely(nd->last_type != LAST_NORM))
+-		return handle_dots(nd, nd->last_type);
++	if (unlikely(nd->last_type != LAST_NORM)) {
++		err = handle_dots(nd, nd->last_type);
++		if (err)
++			goto out_err;
++		return 0;
++	}
+ 	err = lookup_fast(nd, path, &inode);
+ 	if (unlikely(err)) {
+ 		if (err < 0)
+@@ -2904,8 +2903,10 @@ static int do_last(struct nameidata *nd,
+ 
+ 	if (nd->last_type != LAST_NORM) {
+ 		error = handle_dots(nd, nd->last_type);
+-		if (error)
++		if (unlikely(error)) {
++			terminate_walk(nd);
+ 			return error;
++		}
+ 		goto finish_open;
+ 	}
+ 
diff --git a/debian/patches/bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch b/debian/patches/bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch
new file mode 100644
index 0000000..751d512
--- /dev/null
+++ b/debian/patches/bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch
@@ -0,0 +1,103 @@
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Sat, 15 Aug 2015 20:27:13 -0500
+Subject: vfs: Test for and handle paths that are unreachable from their mnt_root
+Origin: https://git.kernel.org/linus/397d425dc26da728396e66d392d5dcb8dac30c37
+
+In rare cases a directory can be renamed out from under a bind mount.
+In those cases without special handling it becomes possible to walk up
+the directory tree to the root dentry of the filesystem and down
+from the root dentry to every other file or directory on the filesystem.
+
+Like division by zero .. from an unconnected path can not be given
+a useful semantic as there is no predicting at which path component
+the code will realize it is unconnected.  We certainly can not match
+the current behavior as the current behavior is a security hole.
+
+Therefore when encounting .. when following an unconnected path
+return -ENOENT.
+
+- Add a function path_connected to verify path->dentry is reachable
+  from path->mnt.mnt_root.  AKA to validate that rename did not do
+  something nasty to the bind mount.
+
+  To avoid races path_connected must be called after following a path
+  component to it's next path component.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+[bwh: Backported to 3.16: adjust context]
+---
+ fs/namei.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -486,6 +486,24 @@ void path_put(const struct path *path)
+ }
+ EXPORT_SYMBOL(path_put);
+ 
++/**
++ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root
++ * @path: nameidate to verify
++ *
++ * Rename can sometimes move a file or directory outside of a bind
++ * mount, path_connected allows those cases to be detected.
++ */
++static bool path_connected(const struct path *path)
++{
++	struct vfsmount *mnt = path->mnt;
++
++	/* Only bind mounts can have disconnected paths */
++	if (mnt->mnt_root == mnt->mnt_sb->s_root)
++		return true;
++
++	return is_subdir(path->dentry, mnt->mnt_root);
++}
++
+ /*
+  * Path walking has 2 modes, rcu-walk and ref-walk (see
+  * Documentation/filesystems/path-lookup.txt).  In situations when we can't
+@@ -1155,6 +1173,8 @@ static int follow_dotdot_rcu(struct name
+ 				goto failed;
+ 			nd->path.dentry = parent;
+ 			nd->seq = seq;
++			if (unlikely(!path_connected(&nd->path)))
++				return -ENOENT;
+ 			break;
+ 		}
+ 		if (!follow_up_rcu(&nd->path))
+@@ -1247,7 +1267,7 @@ static void follow_mount(struct path *pa
+ 	}
+ }
+ 
+-static void follow_dotdot(struct nameidata *nd)
++static int follow_dotdot(struct nameidata *nd)
+ {
+ 	if (!nd->root.mnt)
+ 		set_root(nd);
+@@ -1263,6 +1283,8 @@ static void follow_dotdot(struct nameida
+ 			/* rare case of legitimate dget_parent()... */
+ 			nd->path.dentry = dget_parent(nd->path.dentry);
+ 			dput(old);
++			if (unlikely(!path_connected(&nd->path)))
++				return -ENOENT;
+ 			break;
+ 		}
+ 		if (!follow_up(&nd->path))
+@@ -1270,6 +1292,7 @@ static void follow_dotdot(struct nameida
+ 	}
+ 	follow_mount(&nd->path);
+ 	nd->inode = nd->path.dentry->d_inode;
++	return 0;
+ }
+ 
+ /*
+@@ -1492,7 +1515,7 @@ static inline int handle_dots(struct nam
+ 		if (nd->flags & LOOKUP_RCU) {
+ 			return follow_dotdot_rcu(nd);
+ 		} else
+-			follow_dotdot(nd);
++			return follow_dotdot(nd);
+ 	}
+ 	return 0;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 651145d..d338cb1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -645,3 +645,6 @@ bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch
 bugfix/all/virtio-net-drop-netif_f_fraglist.patch
 bugfix/all/vhost-actually-track-log-eventfd-file.patch
 bugfix/all/rds-verify-the-underlying-transport-exists-before-cr.patch
+bugfix/all/namei-lift-open-coded-terminate_walk-in-follow_dotdo.patch
+bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
+bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list