diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-01-27 07:47:06 +0100 |
---|---|---|
committer | Paul Vaduva <Paul.Vaduva@enea.com> | 2016-01-27 10:01:40 +0100 |
commit | 859a1735be48a2ff960354772832c65b15e3377c (patch) | |
tree | 397d5d9cd410620f15870a02edf88e6c41236c99 /recipes-kernel/linux/linux-yocto-3.14/dcache-CVE-2015-2925.patch | |
parent | 618f92251544de938a21b88be6205b42e03e9d44 (diff) | |
download | meta-enea-859a1735be48a2ff960354772832c65b15e3377c.tar.gz |
kernel-vfs: CVE-2015-2925
Fixes a flaw which was found in the way the Linux kernel's file system
implementation handled rename operations in which the source was inside
and the destination was outside of a bind mount.
A privileged user inside a container could use this flaw to escape the bind
mount and, potentially, escalate their privileges on the system.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2925
http://www.openwall.com/lists/oss-security/2015/04/03/7
Reference to the upstream fixes:
vfs: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/
commit/?id=397d425dc26da728396e66d392d5dcb8dac30c37
dcache: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/
commit/?id=cde93be45a8a90d8c264c776fab63487b5038a65
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>
Diffstat (limited to 'recipes-kernel/linux/linux-yocto-3.14/dcache-CVE-2015-2925.patch')
-rw-r--r-- | recipes-kernel/linux/linux-yocto-3.14/dcache-CVE-2015-2925.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-yocto-3.14/dcache-CVE-2015-2925.patch b/recipes-kernel/linux/linux-yocto-3.14/dcache-CVE-2015-2925.patch new file mode 100644 index 0000000..84b72ba --- /dev/null +++ b/recipes-kernel/linux/linux-yocto-3.14/dcache-CVE-2015-2925.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From cb1320693b9d8d32651a2bb7cd15498408732b8f Mon Sep 17 00:00:00 2001 | ||
2 | From: "Eric W. Biederman" <ebiederm@xmission.com> | ||
3 | Date: Sat, 15 Aug 2015 13:36:12 -0500 | ||
4 | Subject: dcache: Handle escaped paths in prepend_path | ||
5 | |||
6 | commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream. | ||
7 | |||
8 | A rename can result in a dentry that by walking up d_parent | ||
9 | will never reach it's mnt_root. For lack of a better term | ||
10 | I call this an escaped path. | ||
11 | |||
12 | prepend_path is called by four different functions __d_path, | ||
13 | d_absolute_path, d_path, and getcwd. | ||
14 | |||
15 | __d_path only wants to see paths are connected to the root it passes | ||
16 | in. So __d_path needs prepend_path to return an error. | ||
17 | |||
18 | d_absolute_path similarly wants to see paths that are connected to | ||
19 | some root. Escaped paths are not connected to any mnt_root so | ||
20 | d_absolute_path needs prepend_path to return an error greater | ||
21 | than 1. So escaped paths will be treated like paths on lazily | ||
22 | unmounted mounts. | ||
23 | |||
24 | getcwd needs to prepend "(unreachable)" so getcwd also needs | ||
25 | prepend_path to return an error. | ||
26 | |||
27 | d_path is the interesting hold out. d_path just wants to print | ||
28 | something, and does not care about the weird cases. Which raises | ||
29 | the question what should be printed? | ||
30 | |||
31 | Given that <escaped_path>/<anything> should result in -ENOENT I | ||
32 | believe it is desirable for escaped paths to be printed as empty | ||
33 | paths. As there are not really any meaninful path components when | ||
34 | considered from the perspective of a mount tree. | ||
35 | |||
36 | So tweak prepend_path to return an empty path with an new error | ||
37 | code of 3 when it encounters an escaped path. | ||
38 | |||
39 | Fixes CVE-2015-2925. | ||
40 | Upstream-Status: Backport | ||
41 | |||
42 | Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> | ||
43 | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> | ||
44 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
45 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
46 | --- | ||
47 | fs/dcache.c | 7 +++++++ | ||
48 | 1 file changed, 7 insertions(+) | ||
49 | |||
50 | diff --git a/fs/dcache.c b/fs/dcache.c | ||
51 | index df323f8..65ccdf0 100644 | ||
52 | --- a/fs/dcache.c | ||
53 | +++ b/fs/dcache.c | ||
54 | @@ -2787,6 +2787,13 @@ restart: | ||
55 | |||
56 | if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) { | ||
57 | struct mount *parent = ACCESS_ONCE(mnt->mnt_parent); | ||
58 | + /* Escaped? */ | ||
59 | + if (dentry != vfsmnt->mnt_root) { | ||
60 | + bptr = *buffer; | ||
61 | + blen = *buflen; | ||
62 | + error = 3; | ||
63 | + break; | ||
64 | + } | ||
65 | /* Global root? */ | ||
66 | if (mnt != parent) { | ||
67 | dentry = ACCESS_ONCE(mnt->mnt_mountpoint); | ||
68 | -- | ||
69 | cgit v0.12 | ||