diff options
Diffstat (limited to 'recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch')
-rw-r--r-- | recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch new file mode 100644 index 0000000..aec8930 --- /dev/null +++ b/recipes-kernel/linux/files/0001-mnt-CVE-2014-5206_CVE-2014-5207.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From 25c1def33a2f74079f3062b7afdf98fcf9f34e6d Mon Sep 17 00:00:00 2001 | ||
2 | From: "Eric W. Biederman" <ebiederm@xmission.com> | ||
3 | Date: Mon, 28 Jul 2014 16:26:53 -0700 | ||
4 | Subject: [PATCH] mnt: Only change user settable mount flags in remount | ||
5 | |||
6 | commit a6138db815df5ee542d848318e5dae681590fccd upstream. | ||
7 | |||
8 | Kenton Varda <kenton@sandstorm.io> discovered that by remounting a | ||
9 | read-only bind mount read-only in a user namespace the | ||
10 | MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user | ||
11 | to the remount a read-only mount read-write. | ||
12 | |||
13 | Correct this by replacing the mask of mount flags to preserve | ||
14 | with a mask of mount flags that may be changed, and preserve | ||
15 | all others. This ensures that any future bugs with this mask and | ||
16 | remount will fail in an easy to detect way where new mount flags | ||
17 | simply won't change. | ||
18 | |||
19 | Fix for CVE-2014-5206 and CVE-2014-5207 | ||
20 | Upstream-Status: backport | ||
21 | |||
22 | Cc: stable@vger.kernel.org | ||
23 | Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> | ||
24 | Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> | ||
25 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
26 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
27 | --- | ||
28 | fs/namespace.c | 2 +- | ||
29 | include/linux/mount.h | 4 +++- | ||
30 | 2 files changed, 4 insertions(+), 2 deletions(-) | ||
31 | |||
32 | diff --git a/fs/namespace.c b/fs/namespace.c | ||
33 | index 84447db..34fa7a5 100644 | ||
34 | --- a/fs/namespace.c | ||
35 | +++ b/fs/namespace.c | ||
36 | @@ -1847,7 +1847,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags, | ||
37 | err = do_remount_sb(sb, flags, data, 0); | ||
38 | if (!err) { | ||
39 | br_write_lock(&vfsmount_lock); | ||
40 | - mnt_flags |= mnt->mnt.mnt_flags & MNT_PROPAGATION_MASK; | ||
41 | + mnt_flags |= mnt->mnt.mnt_flags & ~MNT_USER_SETTABLE_MASK; | ||
42 | mnt->mnt.mnt_flags = mnt_flags; | ||
43 | br_write_unlock(&vfsmount_lock); | ||
44 | } | ||
45 | diff --git a/include/linux/mount.h b/include/linux/mount.h | ||
46 | index 38cd98f..8707c9e 100644 | ||
47 | --- a/include/linux/mount.h | ||
48 | +++ b/include/linux/mount.h | ||
49 | @@ -42,7 +42,9 @@ struct mnt_namespace; | ||
50 | * flag, consider how it interacts with shared mounts. | ||
51 | */ | ||
52 | #define MNT_SHARED_MASK (MNT_UNBINDABLE) | ||
53 | -#define MNT_PROPAGATION_MASK (MNT_SHARED | MNT_UNBINDABLE) | ||
54 | +#define MNT_USER_SETTABLE_MASK (MNT_NOSUID | MNT_NODEV | MNT_NOEXEC \ | ||
55 | + | MNT_NOATIME | MNT_NODIRATIME | MNT_RELATIME \ | ||
56 | + | MNT_READONLY) | ||
57 | |||
58 | |||
59 | #define MNT_INTERNAL 0x4000 | ||
60 | -- | ||
61 | 1.9.1 | ||
62 | |||