1 files changed, 70 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/dcache-CVE-2015-2925.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/dcache-CVE-2015-2925.patch
new file mode 100644
index 0000000..a6a8449
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon-4.1/dcache-CVE-2015-2925.patch
@@ -0,0 +1,70 @@
+From 6f4e45e35c02fd23589a62aab0dc84286cc1302c Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sat, 15 Aug 2015 13:36:12 -0500
+Subject: dcache: Handle escaped paths in prepend_path
+commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream.
+A rename can result in a dentry that by walking up d_parent
+will never reach it's mnt_root.  For lack of a better term
+I call this an escaped path.
+prepend_path is called by four different functions __d_path,
+d_absolute_path, d_path, and getcwd.
+__d_path only wants to see paths are connected to the root it passes
+in.  So __d_path needs prepend_path to return an error.
+d_absolute_path similarly wants to see paths that are connected to
+some root.  Escaped paths are not connected to any mnt_root so
+d_absolute_path needs prepend_path to return an error greater
+than 1.  So escaped paths will be treated like paths on lazily
+unmounted mounts.
+getcwd needs to prepend "(unreachable)" so getcwd also needs
+prepend_path to return an error.
+d_path is the interesting hold out.  d_path just wants to print
+something, and does not care about the weird cases.  Which raises
+the question what should be printed?
+Given that <escaped_path>/<anything> should result in -ENOENT I
+believe it is desirable for escaped paths to be printed as empty
+paths.  As there are not really any meaninful path components when
+considered from the perspective of a mount tree.
+So tweak prepend_path to return an empty path with an new error
+code of 3 when it encounters an escaped path.
+Fixes CVE-2015-2925.
+Upstream-Status: Backport
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/dcache.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/fs/dcache.c b/fs/dcache.c
+index 5d03eb0..2e8ddc1 100644
+--- a/fs/dcache.c
+++ b/fs/dcache.c
+@@ -2923,6 +2923,13 @@ restart:
+ 
+                if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
+                        struct mount *parent = ACCESS_ONCE(mnt->mnt_parent);
+                       /* Escaped? */
+                       if (dentry != vfsmnt->mnt_root) {
+                               bptr = *buffer;
+                               blen = *buflen;
+                               error = 3;
+                               break;
+                       }
+                        /* Global root? */
+                        if (mnt != parent) {
+                                dentry = ACCESS_ONCE(mnt->mnt_mountpoint);
+-- 
+cgit v0.12

diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/dcache-CVE-2015-2925.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/dcache-CVE-2015-2925.patch new file mode 100644 index 0000000..a6a8449 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-4.1/dcache-CVE-2015-2925.patch
@@ -0,0 +1,70 @@
	1	From 6f4e45e35c02fd23589a62aab0dc84286cc1302c Mon Sep 17 00:00:00 2001
	2	From: "Eric W. Biederman" <ebiederm@xmission.com>
	3	Date: Sat, 15 Aug 2015 13:36:12 -0500
	4	Subject: dcache: Handle escaped paths in prepend_path
	5
	6	commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream.
	7
	8	A rename can result in a dentry that by walking up d_parent
	9	will never reach it's mnt_root. For lack of a better term
	10	I call this an escaped path.
	11
	12	prepend_path is called by four different functions __d_path,
	13	d_absolute_path, d_path, and getcwd.
	14
	15	__d_path only wants to see paths are connected to the root it passes
	16	in. So __d_path needs prepend_path to return an error.
	17
	18	d_absolute_path similarly wants to see paths that are connected to
	19	some root. Escaped paths are not connected to any mnt_root so
	20	d_absolute_path needs prepend_path to return an error greater
	21	than 1. So escaped paths will be treated like paths on lazily
	22	unmounted mounts.
	23
	24	getcwd needs to prepend "(unreachable)" so getcwd also needs
	25	prepend_path to return an error.
	26
	27	d_path is the interesting hold out. d_path just wants to print
	28	something, and does not care about the weird cases. Which raises
	29	the question what should be printed?
	30
	31	Given that <escaped_path>/<anything> should result in -ENOENT I
	32	believe it is desirable for escaped paths to be printed as empty
	33	paths. As there are not really any meaninful path components when
	34	considered from the perspective of a mount tree.
	35
	36	So tweak prepend_path to return an empty path with an new error
	37	code of 3 when it encounters an escaped path.
	38
	39	Fixes CVE-2015-2925.
	40	Upstream-Status: Backport
	41
	42	Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
	43	Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
	44	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	45	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	46	---
	47	fs/dcache.c \| 7 +++++++
	48	1 file changed, 7 insertions(+)
	49
	50	diff --git a/fs/dcache.c b/fs/dcache.c
	51	index 5d03eb0..2e8ddc1 100644
	52	--- a/fs/dcache.c
	53	+++ b/fs/dcache.c
	54	@@ -2923,6 +2923,13 @@ restart:
	55
	56	if (dentry == vfsmnt->mnt_root \|\| IS_ROOT(dentry)) {
	57	struct mount *parent = ACCESS_ONCE(mnt->mnt_parent);
	58	+ /* Escaped? */
	59	+ if (dentry != vfsmnt->mnt_root) {
	60	+ bptr = *buffer;
	61	+ blen = *buflen;
	62	+ error = 3;
	63	+ break;
	64	+ }
	65	/* Global root? */
	66	if (mnt != parent) {
	67	dentry = ACCESS_ONCE(mnt->mnt_mountpoint);
	68	--
	69	cgit v0.12
	70