aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2015-12-30 10:58:49 +0100
committerZhenhua Luo <zhenhua.luo@nxp.com>2016-01-05 15:06:20 +0800
commit3a48365291e52ea967980bb1b69e99fd1a8f57dd (patch)
tree2c2fe8374212e64fa202bd64e9003af230196b1d
parentc953e8eca79bbb5de090a0c400854464568156df (diff)
downloadmeta-fsl-ppc-dizzy.tar.gz
meta-fsl-ppc-dizzy.tar.bz2
meta-fsl-ppc-dizzy.zip
kernel-mnt: CVE-2015-4177dizzy-nextdizzy
Fixes race conditions in collect_mounts References: http://seclists.org/oss-sec/2015/q2/640 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-4177 Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=6ab282fe6d43027b3b1ef820b3798aae8fdb432b Signen-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r--recipes-kernel/linux/files/mnt-CVE-2015-4177.patch56
-rw-r--r--recipes-kernel/linux/linux-qoriq_3.12.bb1
2 files changed, 57 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/mnt-CVE-2015-4177.patch b/recipes-kernel/linux/files/mnt-CVE-2015-4177.patch
new file mode 100644
index 0000000..c6ca4bf
--- /dev/null
+++ b/recipes-kernel/linux/files/mnt-CVE-2015-4177.patch
@@ -0,0 +1,56 @@
+From 6ab282fe6d43027b3b1ef820b3798aae8fdb432b Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 7 Jan 2015 14:28:26 -0600
+Subject: mnt: Fail collect_mounts when applied to unmounted mounts
+
+commit cd4a40174b71acd021877341684d8bb1dc8ea4ae upstream.
+
+The only users of collect_mounts are in audit_tree.c
+
+In audit_trim_trees and audit_add_tree_rule the path passed into
+collect_mounts is generated from kern_path passed an audit_tree
+pathname which is guaranteed to be an absolute path. In those cases
+collect_mounts is obviously intended to work on mounted paths and
+if a race results in paths that are unmounted when collect_mounts
+it is reasonable to fail early.
+
+The paths passed into audit_tag_tree don't have the absolute path
+check. But are used to play with fsnotify and otherwise interact with
+the audit_trees, so again operating only on mounted paths appears
+reasonable.
+
+Avoid having to worry about what happens when we try and audit
+unmounted filesystems by restricting collect_mounts to mounts
+that appear in the mount tree.
+
+Fixes CVE-2015-4177.
+Upstream-Status: Backport
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/namespace.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 247f34d..185cd1a 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1467,8 +1467,11 @@ struct vfsmount *collect_mounts(struct path *path)
+ {
+ struct mount *tree;
+ namespace_lock();
+- tree = copy_tree(real_mount(path->mnt), path->dentry,
+- CL_COPY_ALL | CL_PRIVATE);
++ if (!check_mnt(real_mount(path->mnt)))
++ tree = ERR_PTR(-EINVAL);
++ else
++ tree = copy_tree(real_mount(path->mnt), path->dentry,
++ CL_COPY_ALL | CL_PRIVATE);
+ namespace_unlock();
+ if (IS_ERR(tree))
+ return ERR_CAST(tree);
+--
+cgit v0.11.2
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index db26777..ab98f72 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -40,6 +40,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
file://fs-CVE-2015-3339.patch \
file://media-CVE-2014-1739.patch \
file://fs-userns-CVE-2014-4014.patch \
+ file://mnt-CVE-2015-4177.patch \
"
SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"