diff options
Diffstat (limited to 'meta-fsl-ppc/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch')
-rw-r--r-- | meta-fsl-ppc/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/meta-fsl-ppc/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch b/meta-fsl-ppc/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch new file mode 100644 index 00000000..b08f2179 --- /dev/null +++ b/meta-fsl-ppc/recipes-kernel/linux/files/0002-mnt-CVE-2014-5206_CVE-2014-5207.patch @@ -0,0 +1,62 @@ +From cab259f821fad20afa688d3fbeb47356447ac20b Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Mon, 28 Jul 2014 17:10:56 -0700 +Subject: [PATCH] mnt: Move the test for MNT_LOCK_READONLY from + change_mount_flags into do_remount + +commit 07b645589dcda8b7a5249e096fece2a67556f0f4 upstream. + +There are no races as locked mount flags are guaranteed to never change. + +Moving the test into do_remount makes it more visible, and ensures all +filesystem remounts pass the MNT_LOCK_READONLY permission check. This +second case is not an issue today as filesystem remounts are guarded +by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged +mount namespaces, but it could become an issue in the future. + +Fix for CVE-2014-5206 and CVE-2014-5207 +Upstream-Status: backport + +Cc: stable@vger.kernel.org +Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- + fs/namespace.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 34fa7a5..8e90b03 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1806,9 +1806,6 @@ static int change_mount_flags(struct vfsmount *mnt, int ms_flags) + if (readonly_request == __mnt_is_readonly(mnt)) + return 0; + +- if (mnt->mnt_flags & MNT_LOCK_READONLY) +- return -EPERM; +- + if (readonly_request) + error = mnt_make_readonly(real_mount(mnt)); + else +@@ -1834,6 +1831,16 @@ static int do_remount(struct path *path, int flags, int mnt_flags, + if (path->dentry != path->mnt->mnt_root) + return -EINVAL; + ++ /* Don't allow changing of locked mnt flags. ++ * ++ * No locks need to be held here while testing the various ++ * MNT_LOCK flags because those flags can never be cleared ++ * once they are set. ++ */ ++ if ((mnt->mnt.mnt_flags & MNT_LOCK_READONLY) && ++ !(mnt_flags & MNT_READONLY)) { ++ return -EPERM; ++ } + err = security_sb_remount(sb, data); + if (err) + return err; +-- +1.9.1 + |