diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-12-22 13:01:50 +0100 |
---|---|---|
committer | Huimin She <huimin.she@enea.com> | 2015-12-22 15:42:49 +0100 |
commit | 4b78021ae978a0639b5b4bb7c877d4a66b9b43f2 (patch) | |
tree | 02d5237c086e705a6e7f4d14d31dfe87070f02f8 /recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch | |
parent | 08b46ce9e33c472ae04a8f1ec6ad1601594797f7 (diff) | |
download | meta-hierofalcon-4b78021ae978a0639b5b4bb7c877d4a66b9b43f2.tar.gz |
kernel-mnt: CVE-2015-4177
Fixes race conditions in collect_mounts
References:
http://seclists.org/oss-sec/2015/q2/640
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-4177
Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=0de0e610f6b359c52d4f8b02bac2963f4968c9d6
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Huimin She <huimin.she@enea.com>
Diffstat (limited to 'recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch')
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch new file mode 100644 index 0000000..6bd9a75 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From 0de0e610f6b359c52d4f8b02bac2963f4968c9d6 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Eric W. Biederman" <ebiederm@xmission.com> | ||
3 | Date: Wed, 7 Jan 2015 14:28:26 -0600 | ||
4 | Subject: mnt: Fail collect_mounts when applied to unmounted mounts | ||
5 | |||
6 | [ Upstream commit cd4a40174b71acd021877341684d8bb1dc8ea4ae ] | ||
7 | |||
8 | The only users of collect_mounts are in audit_tree.c | ||
9 | |||
10 | In audit_trim_trees and audit_add_tree_rule the path passed into | ||
11 | collect_mounts is generated from kern_path passed an audit_tree | ||
12 | pathname which is guaranteed to be an absolute path. In those cases | ||
13 | collect_mounts is obviously intended to work on mounted paths and | ||
14 | if a race results in paths that are unmounted when collect_mounts | ||
15 | it is reasonable to fail early. | ||
16 | |||
17 | The paths passed into audit_tag_tree don't have the absolute path | ||
18 | check. But are used to play with fsnotify and otherwise interact with | ||
19 | the audit_trees, so again operating only on mounted paths appears | ||
20 | reasonable. | ||
21 | |||
22 | Avoid having to worry about what happens when we try and audit | ||
23 | unmounted filesystems by restricting collect_mounts to mounts | ||
24 | that appear in the mount tree. | ||
25 | |||
26 | Fixes CVE-2015-4177. | ||
27 | Upstream-Status: Backport | ||
28 | |||
29 | Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> | ||
30 | Signed-off-by: Sasha Levin <sasha.levin@oracle.com> | ||
31 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
32 | --- | ||
33 | fs/namespace.c | 7 +++++-- | ||
34 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
35 | |||
36 | diff --git a/fs/namespace.c b/fs/namespace.c | ||
37 | index 64837e3..8b60287 100644 | ||
38 | --- a/fs/namespace.c | ||
39 | +++ b/fs/namespace.c | ||
40 | @@ -1675,8 +1675,11 @@ struct vfsmount *collect_mounts(struct path *path) | ||
41 | { | ||
42 | struct mount *tree; | ||
43 | namespace_lock(); | ||
44 | - tree = copy_tree(real_mount(path->mnt), path->dentry, | ||
45 | - CL_COPY_ALL | CL_PRIVATE); | ||
46 | + if (!check_mnt(real_mount(path->mnt))) | ||
47 | + tree = ERR_PTR(-EINVAL); | ||
48 | + else | ||
49 | + tree = copy_tree(real_mount(path->mnt), path->dentry, | ||
50 | + CL_COPY_ALL | CL_PRIVATE); | ||
51 | namespace_unlock(); | ||
52 | if (IS_ERR(tree)) | ||
53 | return ERR_CAST(tree); | ||
54 | -- | ||
55 | cgit v0.11.2 | ||
56 | |||