fs: umount on symlink leaks mnt count, CVE-2014-5045

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2014-09-05 14:59:02 +0200
committer: Zhenhua Luo <zhenhua.luo@freescale.com> 2014-09-09 17:17:37 +0800
commit: bfec563fa7ddde87748cb30e4e581629623df652 (patch)
tree: 1bb81d29cbc84a66d3514725c7da8b4572443bb9 /recipes-kernel
parent: 473dc89bb6b7bd24018e9899950e9258ff5e560e (diff)
download: meta-fsl-ppc-bfec563fa7ddde87748cb30e4e581629623df652.tar.gz
2 files changed, 48 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch b/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch
new file mode 100644
index 0000000..1ae600f
--- /dev/null
+++ b/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch
@@ -0,0 +1,47 @@
+fs: umount on symlink leaks mnt count
+commit 295dc39d941dc2ae53d5c170365af4c9d5c16212 upstream.
+Currently umount on symlink blocks following umount:
+/vz is separate mount
+drwxr-xr-x.  2 root root       4096 Jul 19 01:14 testdir
+lrwxrwxrwx.  1 root root         11 Jul 19 01:16 testlink -> /vz/testdir
+umount: /vz/testlink: not mounted (expected)
+umount: /vz: device is busy. (unexpected)
+In this case mountpoint_last() gets an extra refcount on path->mnt
+Upstream-Status: Backport
+Signed-off-by: Vasily Averin <vvs@openvz.org>
+Acked-by: Ian Kent <raven@themaw.net>
+Acked-by: Jeff Layton <jlayton@primarydata.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/namei.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/fs/namei.c b/fs/namei.c
+index 187cacf..c199dcc 100644
+--- a/fs/namei.c
+++ b/fs/namei.c
+@@ -2280,9 +2280,10 @@ done:
+                goto out;
+        }
+        path->dentry = dentry;
+-       path->mnt = mntget(nd->path.mnt);
+       path->mnt = nd->path.mnt;
+        if (should_follow_link(dentry->d_inode, nd->flags & LOOKUP_FOLLOW))
+                return 1;
+       mntget(path->mnt);
+        follow_mount(path);
+        error = 0;
+ out:
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 5d9a1f0..4e9c50b 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -2,6 +2,7 @@ require recipes-kernel/linux/linux-qoriq.inc
 SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://powerpc-Fix-64-bit-builds-with-binutils-2.24.patch \
+    file://Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch \
 "
 SRCREV = "c29fe1a733308cbe592b3af054a97be1b91cf2dd"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2014-09-05 14:59:02 +0200
committer	Zhenhua Luo <zhenhua.luo@freescale.com>	2014-09-09 17:17:37 +0800
commit	bfec563fa7ddde87748cb30e4e581629623df652 (patch)
tree	1bb81d29cbc84a66d3514725c7da8b4572443bb9 /recipes-kernel
parent	473dc89bb6b7bd24018e9899950e9258ff5e560e (diff)
download	meta-fsl-ppc-bfec563fa7ddde87748cb30e4e581629623df652.tar.gz

diff --git a/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch b/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch new file mode 100644 index 0000000..1ae600f --- /dev/null +++ b/recipes-kernel/linux/files/Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch
@@ -0,0 +1,47 @@
		1	fs: umount on symlink leaks mnt count
		2
		3	commit 295dc39d941dc2ae53d5c170365af4c9d5c16212 upstream.
		4
		5	Currently umount on symlink blocks following umount:
		6
		7	/vz is separate mount
		8
		9	drwxr-xr-x. 2 root root 4096 Jul 19 01:14 testdir
		10	lrwxrwxrwx. 1 root root 11 Jul 19 01:16 testlink -> /vz/testdir
		11	umount: /vz/testlink: not mounted (expected)
		12
		13	umount: /vz: device is busy. (unexpected)
		14
		15	In this case mountpoint_last() gets an extra refcount on path->mnt
		16
		17	Upstream-Status: Backport
		18
		19	Signed-off-by: Vasily Averin <vvs@openvz.org>
		20	Acked-by: Ian Kent <raven@themaw.net>
		21	Acked-by: Jeff Layton <jlayton@primarydata.com>
		22	Cc: stable@vger.kernel.org
		23	Signed-off-by: Christoph Hellwig <hch@lst.de>
		24	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		25	---
		26	fs/namei.c \| 3 ++-
		27	1 file changed, 2 insertions(+), 1 deletion(-)
		28
		29	diff --git a/fs/namei.c b/fs/namei.c
		30	index 187cacf..c199dcc 100644
		31	--- a/fs/namei.c
		32	+++ b/fs/namei.c
		33	@@ -2280,9 +2280,10 @@ done:
		34	goto out;
		35	}
		36	path->dentry = dentry;
		37	- path->mnt = mntget(nd->path.mnt);
		38	+ path->mnt = nd->path.mnt;
		39	if (should_follow_link(dentry->d_inode, nd->flags & LOOKUP_FOLLOW))
		40	return 1;
		41	+ mntget(path->mnt);
		42	follow_mount(path);
		43	error = 0;
		44	out:
		45	--
		46	1.9.1
		47


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 5d9a1f0..4e9c50b 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -2,6 +2,7 @@ require recipes-kernel/linux/linux-qoriq.inc
2		2
3	SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \	3	SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
4	file://powerpc-Fix-64-bit-builds-with-binutils-2.24.patch \	4	file://powerpc-Fix-64-bit-builds-with-binutils-2.24.patch \
		5	file://Fix-for-CVE-2014-5045-fs-umount-on-symlink-leak.patch \
5	"	6	"
6	SRCREV = "c29fe1a733308cbe592b3af054a97be1b91cf2dd"	7	SRCREV = "c29fe1a733308cbe592b3af054a97be1b91cf2dd"
7		8