diff options
Diffstat (limited to 'recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch')
-rw-r--r-- | recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch b/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch new file mode 100644 index 0000000..b08f217 --- /dev/null +++ b/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From cab259f821fad20afa688d3fbeb47356447ac20b Mon Sep 17 00:00:00 2001 | ||
2 | From: "Eric W. Biederman" <ebiederm@xmission.com> | ||
3 | Date: Mon, 28 Jul 2014 17:10:56 -0700 | ||
4 | Subject: [PATCH] mnt: Move the test for MNT_LOCK_READONLY from | ||
5 | change_mount_flags into do_remount | ||
6 | |||
7 | commit 07b645589dcda8b7a5249e096fece2a67556f0f4 upstream. | ||
8 | |||
9 | There are no races as locked mount flags are guaranteed to never change. | ||
10 | |||
11 | Moving the test into do_remount makes it more visible, and ensures all | ||
12 | filesystem remounts pass the MNT_LOCK_READONLY permission check. This | ||
13 | second case is not an issue today as filesystem remounts are guarded | ||
14 | by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged | ||
15 | mount namespaces, but it could become an issue in the future. | ||
16 | |||
17 | Fix for CVE-2014-5206 and CVE-2014-5207 | ||
18 | Upstream-Status: backport | ||
19 | |||
20 | Cc: stable@vger.kernel.org | ||
21 | Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> | ||
22 | Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> | ||
23 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
24 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
25 | --- | ||
26 | fs/namespace.c | 13 ++++++++++--- | ||
27 | 1 file changed, 10 insertions(+), 3 deletions(-) | ||
28 | |||
29 | diff --git a/fs/namespace.c b/fs/namespace.c | ||
30 | index 34fa7a5..8e90b03 100644 | ||
31 | --- a/fs/namespace.c | ||
32 | +++ b/fs/namespace.c | ||
33 | @@ -1806,9 +1806,6 @@ static int change_mount_flags(struct vfsmount *mnt, int ms_flags) | ||
34 | if (readonly_request == __mnt_is_readonly(mnt)) | ||
35 | return 0; | ||
36 | |||
37 | - if (mnt->mnt_flags & MNT_LOCK_READONLY) | ||
38 | - return -EPERM; | ||
39 | - | ||
40 | if (readonly_request) | ||
41 | error = mnt_make_readonly(real_mount(mnt)); | ||
42 | else | ||
43 | @@ -1834,6 +1831,16 @@ static int do_remount(struct path *path, int flags, int mnt_flags, | ||
44 | if (path->dentry != path->mnt->mnt_root) | ||
45 | return -EINVAL; | ||
46 | |||
47 | + /* Don't allow changing of locked mnt flags. | ||
48 | + * | ||
49 | + * No locks need to be held here while testing the various | ||
50 | + * MNT_LOCK flags because those flags can never be cleared | ||
51 | + * once they are set. | ||
52 | + */ | ||
53 | + if ((mnt->mnt.mnt_flags & MNT_LOCK_READONLY) && | ||
54 | + !(mnt_flags & MNT_READONLY)) { | ||
55 | + return -EPERM; | ||
56 | + } | ||
57 | err = security_sb_remount(sb, data); | ||
58 | if (err) | ||
59 | return err; | ||
60 | -- | ||
61 | 1.9.1 | ||
62 | |||