From 4b78021ae978a0639b5b4bb7c877d4a66b9b43f2 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 22 Dec 2015 13:01:50 +0100 Subject: kernel-mnt: CVE-2015-4177 Fixes race conditions in collect_mounts References: http://seclists.org/oss-sec/2015/q2/640 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-4177 Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=0de0e610f6b359c52d4f8b02bac2963f4968c9d6 Signed-off-by: Sona Sarmadi Signed-off-by: Huimin She --- .../linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch | 56 ++++++++++++++++++++++ recipes-kernel/linux/linux-hierofalcon_3.19.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch diff --git a/recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch b/recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch new file mode 100644 index 0000000..6bd9a75 --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-3.19/mnt-CVE-2015-4177.patch @@ -0,0 +1,56 @@ +From 0de0e610f6b359c52d4f8b02bac2963f4968c9d6 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Wed, 7 Jan 2015 14:28:26 -0600 +Subject: mnt: Fail collect_mounts when applied to unmounted mounts + +[ Upstream commit cd4a40174b71acd021877341684d8bb1dc8ea4ae ] + +The only users of collect_mounts are in audit_tree.c + +In audit_trim_trees and audit_add_tree_rule the path passed into +collect_mounts is generated from kern_path passed an audit_tree +pathname which is guaranteed to be an absolute path. In those cases +collect_mounts is obviously intended to work on mounted paths and +if a race results in paths that are unmounted when collect_mounts +it is reasonable to fail early. + +The paths passed into audit_tag_tree don't have the absolute path +check. But are used to play with fsnotify and otherwise interact with +the audit_trees, so again operating only on mounted paths appears +reasonable. + +Avoid having to worry about what happens when we try and audit +unmounted filesystems by restricting collect_mounts to mounts +that appear in the mount tree. + +Fixes CVE-2015-4177. +Upstream-Status: Backport + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +Signed-off-by: Sona Sarmadi +--- + fs/namespace.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 64837e3..8b60287 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1675,8 +1675,11 @@ struct vfsmount *collect_mounts(struct path *path) + { + struct mount *tree; + namespace_lock(); +- tree = copy_tree(real_mount(path->mnt), path->dentry, +- CL_COPY_ALL | CL_PRIVATE); ++ if (!check_mnt(real_mount(path->mnt))) ++ tree = ERR_PTR(-EINVAL); ++ else ++ tree = copy_tree(real_mount(path->mnt), path->dentry, ++ CL_COPY_ALL | CL_PRIVATE); + namespace_unlock(); + if (IS_ERR(tree)) + return ERR_CAST(tree); +-- +cgit v0.11.2 + diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index a1c3e6e..7d0e9d2 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb @@ -20,6 +20,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6 file://RDS-CVE-2015-6937.patch \ file://RDS-CVE-2015-7990-a-complete-fix-of-CVE-2015-6937.patch \ file://fs-CVE-2015-3339.patch \ + file://mnt-CVE-2015-4177.patch \ " S = "${WORKDIR}/git" -- cgit v1.2.3-54-g00ecf