kernel-mnt: CVE-2015-4177

Fixes race conditions in collect_mounts References: http://seclists.org/oss-sec/2015/q2/640 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-4177 Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=0de0e610f6b359c52d4f8b02bac2963f4968c9d6 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Huimin She <huimin.she@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-12-22 13:01:50 +0100
committer: Huimin She <huimin.she@enea.com> 2015-12-22 15:42:49 +0100
commit: 4b78021ae978a0639b5b4bb7c877d4a66b9b43f2 (patch)
tree: 02d5237c086e705a6e7f4d14d31dfe87070f02f8 /recipes-kernel/linux/linux-hierofalcon-3.19
parent: 08b46ce9e33c472ae04a8f1ec6ad1601594797f7 (diff)
download: meta-hierofalcon-4b78021ae978a0639b5b4bb7c877d4a66b9b43f2.tar.gz
1 files changed, 56 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch
new file mode 100644
index 0000000..6bd9a75
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch
@@ -0,0 +1,56 @@
+From 0de0e610f6b359c52d4f8b02bac2963f4968c9d6 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 7 Jan 2015 14:28:26 -0600
+Subject: mnt: Fail collect_mounts when applied to unmounted mounts
+[ Upstream commit cd4a40174b71acd021877341684d8bb1dc8ea4ae ]
+The only users of collect_mounts are in audit_tree.c
+In audit_trim_trees and audit_add_tree_rule the path passed into
+collect_mounts is generated from kern_path passed an audit_tree
+pathname which is guaranteed to be an absolute path.   In those cases
+collect_mounts is obviously intended to work on mounted paths and
+if a race results in paths that are unmounted when collect_mounts
+it is reasonable to fail early.
+The paths passed into audit_tag_tree don't have the absolute path
+check.  But are used to play with fsnotify and otherwise interact with
+the audit_trees, so again operating only on mounted paths appears
+reasonable.
+Avoid having to worry about what happens when we try and audit
+unmounted filesystems by restricting collect_mounts to mounts
+that appear in the mount tree.
+Fixes CVE-2015-4177.
+Upstream-Status: Backport
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/namespace.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 64837e3..8b60287 100644
+--- a/fs/namespace.c
+++ b/fs/namespace.c
+@@ -1675,8 +1675,11 @@ struct vfsmount *collect_mounts(struct path *path)
+ {
+        struct mount *tree;
+        namespace_lock();
+-       tree = copy_tree(real_mount(path->mnt), path->dentry,
+-                        CL_COPY_ALL | CL_PRIVATE);
+       if (!check_mnt(real_mount(path->mnt)))
+               tree = ERR_PTR(-EINVAL);
+       else
+               tree = copy_tree(real_mount(path->mnt), path->dentry,
+                                CL_COPY_ALL | CL_PRIVATE);
+        namespace_unlock();
+        if (IS_ERR(tree))
+                return ERR_CAST(tree);
+-- 
+cgit v0.11.2
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-12-22 13:01:50 +0100
committer	Huimin She <huimin.she@enea.com>	2015-12-22 15:42:49 +0100
commit	4b78021ae978a0639b5b4bb7c877d4a66b9b43f2 (patch)
tree	02d5237c086e705a6e7f4d14d31dfe87070f02f8 /recipes-kernel/linux/linux-hierofalcon-3.19
parent	08b46ce9e33c472ae04a8f1ec6ad1601594797f7 (diff)
download	meta-hierofalcon-4b78021ae978a0639b5b4bb7c877d4a66b9b43f2.tar.gz

diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch new file mode 100644 index 0000000..6bd9a75 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch
@@ -0,0 +1,56 @@
	1	From 0de0e610f6b359c52d4f8b02bac2963f4968c9d6 Mon Sep 17 00:00:00 2001
	2	From: "Eric W. Biederman" <ebiederm@xmission.com>
	3	Date: Wed, 7 Jan 2015 14:28:26 -0600
	4	Subject: mnt: Fail collect_mounts when applied to unmounted mounts
	5
	6	[ Upstream commit cd4a40174b71acd021877341684d8bb1dc8ea4ae ]
	7
	8	The only users of collect_mounts are in audit_tree.c
	9
	10	In audit_trim_trees and audit_add_tree_rule the path passed into
	11	collect_mounts is generated from kern_path passed an audit_tree
	12	pathname which is guaranteed to be an absolute path. In those cases
	13	collect_mounts is obviously intended to work on mounted paths and
	14	if a race results in paths that are unmounted when collect_mounts
	15	it is reasonable to fail early.
	16
	17	The paths passed into audit_tag_tree don't have the absolute path
	18	check. But are used to play with fsnotify and otherwise interact with
	19	the audit_trees, so again operating only on mounted paths appears
	20	reasonable.
	21
	22	Avoid having to worry about what happens when we try and audit
	23	unmounted filesystems by restricting collect_mounts to mounts
	24	that appear in the mount tree.
	25
	26	Fixes CVE-2015-4177.
	27	Upstream-Status: Backport
	28
	29	Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
	30	Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
	31	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	32	---
	33	fs/namespace.c \| 7 +++++--
	34	1 file changed, 5 insertions(+), 2 deletions(-)
	35
	36	diff --git a/fs/namespace.c b/fs/namespace.c
	37	index 64837e3..8b60287 100644
	38	--- a/fs/namespace.c
	39	+++ b/fs/namespace.c
	40	@@ -1675,8 +1675,11 @@ struct vfsmount collect_mounts(struct path path)
	41	{
	42	struct mount *tree;
	43	namespace_lock();
	44	- tree = copy_tree(real_mount(path->mnt), path->dentry,
	45	- CL_COPY_ALL \| CL_PRIVATE);
	46	+ if (!check_mnt(real_mount(path->mnt)))
	47	+ tree = ERR_PTR(-EINVAL);
	48	+ else
	49	+ tree = copy_tree(real_mount(path->mnt), path->dentry,
	50	+ CL_COPY_ALL \| CL_PRIVATE);
	51	namespace_unlock();
	52	if (IS_ERR(tree))
	53	return ERR_CAST(tree);
	54	--
	55	cgit v0.11.2
	56