[linux] 02/02: vfs: Fix possible escape from mount namespace (CVE-2015-2925)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Sep 19 01:27:42 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie-security
in repository linux.
commit 98ab0b496f086a0e528da5d019c62bdfe5463b81
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Sep 19 03:11:36 2015 +0200
vfs: Fix possible escape from mount namespace (CVE-2015-2925)
---
debian/changelog | 5 +
...ache-handle-escaped-paths-in-prepend_path.patch | 58 ++++++++++++
...open-coded-terminate_walk-in-follow_dotdo.patch | 66 +++++++++++++
...r-and-handle-paths-that-are-unreachable-f.patch | 103 +++++++++++++++++++++
debian/patches/series | 3 +
5 files changed, 235 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 1bdf892..fd2c151 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,11 @@ linux (3.16.7-ckt11-1+deb8u4) UNRELEASED; urgency=medium
* aufs3: mmap: Fix races in madvise_remove() and sys_msync() (Closes: #796036)
* RDS: verify the underlying transport exists before creating a connection
(CVE-2015-6937)
+ * vfs: Fix possible escape from mount namespace (CVE-2015-2925):
+ - namei: lift (open-coded) terminate_walk() in follow_dotdot_rcu() into
+ callers
+ - dcache: Handle escaped paths in prepend_path
+ - vfs: Test for and handle paths that are unreachable from their mnt_root
-- Ben Hutchings <ben at decadent.org.uk> Wed, 09 Sep 2015 21:21:36 +0100
diff --git a/debian/patches/bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch b/debian/patches/bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
new file mode 100644
index 0000000..e038e06
--- /dev/null
+++ b/debian/patches/bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
@@ -0,0 +1,58 @@
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Sat, 15 Aug 2015 13:36:12 -0500
+Subject: dcache: Handle escaped paths in prepend_path
+Origin: https://git.kernel.org/linus/cde93be45a8a90d8c264c776fab63487b5038a65
+
+A rename can result in a dentry that by walking up d_parent
+will never reach it's mnt_root. For lack of a better term
+I call this an escaped path.
+
+prepend_path is called by four different functions __d_path,
+d_absolute_path, d_path, and getcwd.
+
+__d_path only wants to see paths are connected to the root it passes
+in. So __d_path needs prepend_path to return an error.
+
+d_absolute_path similarly wants to see paths that are connected to
+some root. Escaped paths are not connected to any mnt_root so
+d_absolute_path needs prepend_path to return an error greater
+than 1. So escaped paths will be treated like paths on lazily
+unmounted mounts.
+
+getcwd needs to prepend "(unreachable)" so getcwd also needs
+prepend_path to return an error.
+
+d_path is the interesting hold out. d_path just wants to print
+something, and does not care about the weird cases. Which raises
+the question what should be printed?
+
+Given that <escaped_path>/<anything> should result in -ENOENT I
+believe it is desirable for escaped paths to be printed as empty
+paths. As there are not really any meaninful path components when
+considered from the perspective of a mount tree.
+
+So tweak prepend_path to return an empty path with an new error
+code of 3 when it encounters an escaped path.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ fs/dcache.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2909,6 +2909,13 @@ restart:
+
+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
+ struct mount *parent = ACCESS_ONCE(mnt->mnt_parent);
++ /* Escaped? */
++ if (dentry != vfsmnt->mnt_root) {
++ bptr = *buffer;
++ blen = *buflen;
++ error = 3;
++ break;
++ }
+ /* Global root? */
+ if (mnt != parent) {
+ dentry = ACCESS_ONCE(mnt->mnt_mountpoint);
diff --git a/debian/patches/bugfix/all/namei-lift-open-coded-terminate_walk-in-follow_dotdo.patch b/debian/patches/bugfix/all/namei-lift-open-coded-terminate_walk-in-follow_dotdo.patch
new file mode 100644
index 0000000..82d4dfa
--- /dev/null
+++ b/debian/patches/bugfix/all/namei-lift-open-coded-terminate_walk-in-follow_dotdo.patch
@@ -0,0 +1,66 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Mon, 4 May 2015 07:53:00 -0400
+Subject: namei: lift (open-coded) terminate_walk() in follow_dotdot_rcu() into
+ callers
+Origin: https://git.kernel.org/linus/70291aecc6aa228c1b3bb36a5f3efdb0af636042
+
+follow_dotdot_rcu() does an equivalent of terminate_walk() on failure;
+shifting it into callers makes for simpler rules and those callers
+already have terminate_walk() on other failure exits.
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+[bwh: Backported to 3.16: adjust context]
+---
+ fs/namei.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -1178,10 +1178,6 @@ static int follow_dotdot_rcu(struct name
+ return 0;
+
+ failed:
+- nd->flags &= ~LOOKUP_RCU;
+- if (!(nd->flags & LOOKUP_ROOT))
+- nd->root.mnt = NULL;
+- rcu_read_unlock();
+ return -ECHILD;
+ }
+
+@@ -1494,8 +1490,7 @@ static inline int handle_dots(struct nam
+ {
+ if (type == LAST_DOTDOT) {
+ if (nd->flags & LOOKUP_RCU) {
+- if (follow_dotdot_rcu(nd))
+- return -ECHILD;
++ return follow_dotdot_rcu(nd);
+ } else
+ follow_dotdot(nd);
+ }
+@@ -1535,8 +1530,12 @@ static inline int walk_component(struct
+ * to be able to know about the current root directory and
+ * parent relationships.
+ */
+- if (unlikely(nd->last_type != LAST_NORM))
+- return handle_dots(nd, nd->last_type);
++ if (unlikely(nd->last_type != LAST_NORM)) {
++ err = handle_dots(nd, nd->last_type);
++ if (err)
++ goto out_err;
++ return 0;
++ }
+ err = lookup_fast(nd, path, &inode);
+ if (unlikely(err)) {
+ if (err < 0)
+@@ -2904,8 +2903,10 @@ static int do_last(struct nameidata *nd,
+
+ if (nd->last_type != LAST_NORM) {
+ error = handle_dots(nd, nd->last_type);
+- if (error)
++ if (unlikely(error)) {
++ terminate_walk(nd);
+ return error;
++ }
+ goto finish_open;
+ }
+
diff --git a/debian/patches/bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch b/debian/patches/bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch
new file mode 100644
index 0000000..751d512
--- /dev/null
+++ b/debian/patches/bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch
@@ -0,0 +1,103 @@
+From: "Eric W. Biederman" <ebiederm at xmission.com>
+Date: Sat, 15 Aug 2015 20:27:13 -0500
+Subject: vfs: Test for and handle paths that are unreachable from their mnt_root
+Origin: https://git.kernel.org/linus/397d425dc26da728396e66d392d5dcb8dac30c37
+
+In rare cases a directory can be renamed out from under a bind mount.
+In those cases without special handling it becomes possible to walk up
+the directory tree to the root dentry of the filesystem and down
+from the root dentry to every other file or directory on the filesystem.
+
+Like division by zero .. from an unconnected path can not be given
+a useful semantic as there is no predicting at which path component
+the code will realize it is unconnected. We certainly can not match
+the current behavior as the current behavior is a security hole.
+
+Therefore when encounting .. when following an unconnected path
+return -ENOENT.
+
+- Add a function path_connected to verify path->dentry is reachable
+ from path->mnt.mnt_root. AKA to validate that rename did not do
+ something nasty to the bind mount.
+
+ To avoid races path_connected must be called after following a path
+ component to it's next path component.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+[bwh: Backported to 3.16: adjust context]
+---
+ fs/namei.c | 27 +++++++++++++++++++++++++--
+ 1 file changed, 25 insertions(+), 2 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -486,6 +486,24 @@ void path_put(const struct path *path)
+ }
+ EXPORT_SYMBOL(path_put);
+
++/**
++ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root
++ * @path: nameidate to verify
++ *
++ * Rename can sometimes move a file or directory outside of a bind
++ * mount, path_connected allows those cases to be detected.
++ */
++static bool path_connected(const struct path *path)
++{
++ struct vfsmount *mnt = path->mnt;
++
++ /* Only bind mounts can have disconnected paths */
++ if (mnt->mnt_root == mnt->mnt_sb->s_root)
++ return true;
++
++ return is_subdir(path->dentry, mnt->mnt_root);
++}
++
+ /*
+ * Path walking has 2 modes, rcu-walk and ref-walk (see
+ * Documentation/filesystems/path-lookup.txt). In situations when we can't
+@@ -1155,6 +1173,8 @@ static int follow_dotdot_rcu(struct name
+ goto failed;
+ nd->path.dentry = parent;
+ nd->seq = seq;
++ if (unlikely(!path_connected(&nd->path)))
++ return -ENOENT;
+ break;
+ }
+ if (!follow_up_rcu(&nd->path))
+@@ -1247,7 +1267,7 @@ static void follow_mount(struct path *pa
+ }
+ }
+
+-static void follow_dotdot(struct nameidata *nd)
++static int follow_dotdot(struct nameidata *nd)
+ {
+ if (!nd->root.mnt)
+ set_root(nd);
+@@ -1263,6 +1283,8 @@ static void follow_dotdot(struct nameida
+ /* rare case of legitimate dget_parent()... */
+ nd->path.dentry = dget_parent(nd->path.dentry);
+ dput(old);
++ if (unlikely(!path_connected(&nd->path)))
++ return -ENOENT;
+ break;
+ }
+ if (!follow_up(&nd->path))
+@@ -1270,6 +1292,7 @@ static void follow_dotdot(struct nameida
+ }
+ follow_mount(&nd->path);
+ nd->inode = nd->path.dentry->d_inode;
++ return 0;
+ }
+
+ /*
+@@ -1492,7 +1515,7 @@ static inline int handle_dots(struct nam
+ if (nd->flags & LOOKUP_RCU) {
+ return follow_dotdot_rcu(nd);
+ } else
+- follow_dotdot(nd);
++ return follow_dotdot(nd);
+ }
+ return 0;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 651145d..d338cb1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -645,3 +645,6 @@ bugfix/all/ipv6-addrconf-validate-new-MTU-before-applying-it.patch
bugfix/all/virtio-net-drop-netif_f_fraglist.patch
bugfix/all/vhost-actually-track-log-eventfd-file.patch
bugfix/all/rds-verify-the-underlying-transport-exists-before-cr.patch
+bugfix/all/namei-lift-open-coded-terminate_walk-in-follow_dotdo.patch
+bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
+bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list