| From 0d0826019e529f21c84687521d03f60cd241ca7d Mon Sep 17 00:00:00 2001 |
| From: "Eric W. Biederman" <ebiederm@xmission.com> |
| Date: Wed, 8 Oct 2014 10:42:27 -0700 |
| Subject: mnt: Prevent pivot_root from creating a loop in the mount tree |
| |
| From: "Eric W. Biederman" <ebiederm@xmission.com> |
| |
| commit 0d0826019e529f21c84687521d03f60cd241ca7d upstream. |
| |
| Andy Lutomirski recently demonstrated that when chroot is used to set |
| the root path below the path for the new ``root'' passed to pivot_root |
| the pivot_root system call succeeds and leaks mounts. |
| |
| In examining the code I see that starting with a new root that is |
| below the current root in the mount tree will result in a loop in the |
| mount tree after the mounts are detached and then reattached to one |
| another. Resulting in all kinds of ugliness including a leak of that |
| mounts involved in the leak of the mount loop. |
| |
| Prevent this problem by ensuring that the new mount is reachable from |
| the current root of the mount tree. |
| |
| [Added stable cc. Fixes CVE-2014-7970. --Andy] |
| |
| Reported-by: Andy Lutomirski <luto@amacapital.net> |
| Reviewed-by: Andy Lutomirski <luto@amacapital.net> |
| Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org |
| Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> |
| Signed-off-by: Andy Lutomirski <luto@amacapital.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/namespace.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/fs/namespace.c |
| +++ b/fs/namespace.c |
| @@ -2822,6 +2822,9 @@ SYSCALL_DEFINE2(pivot_root, const char _ |
| /* make sure we can reach put_old from new_root */ |
| if (!is_path_reachable(old_mnt, old.dentry, &new)) |
| goto out4; |
| + /* make certain new is below the root */ |
| + if (!is_path_reachable(new_mnt, new.dentry, &root)) |
| + goto out4; |
| root_mp->m_count++; /* pin it so it won't go away */ |
| lock_mount_hash(); |
| detach_mnt(new_mnt, &parent_path); |