diff options
author | Zefan Li <lizefan@huawei.com> | 2015-10-17 09:44:42 +0800 |
---|---|---|
committer | Zefan Li <lizefan@huawei.com> | 2015-10-17 09:44:42 +0800 |
commit | 1e0384a06c411161136cce400163df5f5d5df9bf (patch) | |
tree | eea4f62d544f81a842bc6808a704d036167f7e9f | |
parent | 30370a66fcc80d3686e85b658147e80a70b216dc (diff) | |
download | linux-3.4.y-queue-1e0384a06c411161136cce400163df5f5d5df9bf.tar.gz |
Add some bind mount fixes for CVE-2015-2925
-rw-r--r-- | patches/dcache-handle-escaped-paths-in-prepend_path.patch | 71 | ||||
-rw-r--r-- | patches/series | 2 | ||||
-rw-r--r-- | patches/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch | 107 |
3 files changed, 180 insertions, 0 deletions
diff --git a/patches/dcache-handle-escaped-paths-in-prepend_path.patch b/patches/dcache-handle-escaped-paths-in-prepend_path.patch new file mode 100644 index 0000000..033b139 --- /dev/null +++ b/patches/dcache-handle-escaped-paths-in-prepend_path.patch @@ -0,0 +1,71 @@ +From d1c3c58267ed18be9275f53c49673cb970165f2a Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Sat, 15 Aug 2015 13:36:12 -0500 +Subject: [PATCH 1/2] dcache: Handle escaped paths in prepend_path + +commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream. + +A rename can result in a dentry that by walking up d_parent +will never reach it's mnt_root. For lack of a better term +I call this an escaped path. + +prepend_path is called by four different functions __d_path, +d_absolute_path, d_path, and getcwd. + +__d_path only wants to see paths are connected to the root it passes +in. So __d_path needs prepend_path to return an error. + +d_absolute_path similarly wants to see paths that are connected to +some root. Escaped paths are not connected to any mnt_root so +d_absolute_path needs prepend_path to return an error greater +than 1. So escaped paths will be treated like paths on lazily +unmounted mounts. + +getcwd needs to prepend "(unreachable)" so getcwd also needs +prepend_path to return an error. + +d_path is the interesting hold out. d_path just wants to print +something, and does not care about the weird cases. Which raises +the question what should be printed? + +Given that <escaped_path>/<anything> should result in -ENOENT I +believe it is desirable for escaped paths to be printed as empty +paths. As there are not really any meaninful path components when +considered from the perspective of a mount tree. + +So tweak prepend_path to return an empty path with an new error +code of 3 when it encounters an escaped path. + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Zefan Li <lizefan@huawei.com> +--- + fs/dcache.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -2518,6 +2518,8 @@ static int prepend_path(const struct pat + struct dentry *dentry = path->dentry; + struct vfsmount *vfsmnt = path->mnt; + struct mount *mnt = real_mount(vfsmnt); ++ char *orig_buffer = *buffer; ++ int orig_len = *buflen; + bool slash = false; + int error = 0; + +@@ -2525,6 +2527,14 @@ static int prepend_path(const struct pat + struct dentry * parent; + + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) { ++ /* Escaped? */ ++ if (dentry != vfsmnt->mnt_root) { ++ *buffer = orig_buffer; ++ *buflen = orig_len; ++ slash = false; ++ error = 3; ++ goto global_root; ++ } + /* Global root? */ + if (!mnt_has_parent(mnt)) + goto global_root; diff --git a/patches/series b/patches/series index a963646..5f72d7d 100644 --- a/patches/series +++ b/patches/series @@ -61,3 +61,5 @@ arm-fix-incorrect-backport-of-0b59d8806a31.patch usb-dwc3-reset-the-transfer-resource-index-on-set_interface.patch jbd2-avoid-infinite-loop-when-destroying-aborted-journal.patch ib-qib-change-lkey-table-allocation-to-support-more-mrs.patch +dcache-handle-escaped-paths-in-prepend_path.patch +vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch diff --git a/patches/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch b/patches/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch new file mode 100644 index 0000000..eb57b64 --- /dev/null +++ b/patches/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch @@ -0,0 +1,107 @@ +From b97fd34ebf9398a1f72b3e04cf371b154c1cdb4f Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Sat, 15 Aug 2015 20:27:13 -0500 +Subject: [PATCH 2/2] vfs: Test for and handle paths that are unreachable from + their mnt_root + +commit 397d425dc26da728396e66d392d5dcb8dac30c37 upstream. + +In rare cases a directory can be renamed out from under a bind mount. +In those cases without special handling it becomes possible to walk up +the directory tree to the root dentry of the filesystem and down +from the root dentry to every other file or directory on the filesystem. + +Like division by zero .. from an unconnected path can not be given +a useful semantic as there is no predicting at which path component +the code will realize it is unconnected. We certainly can not match +the current behavior as the current behavior is a security hole. + +Therefore when encounting .. when following an unconnected path +return -ENOENT. + +- Add a function path_connected to verify path->dentry is reachable + from path->mnt.mnt_root. AKA to validate that rename did not do + something nasty to the bind mount. + + To avoid races path_connected must be called after following a path + component to it's next path component. + +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +--- + fs/namei.c | 29 +++++++++++++++++++++++++++-- + 1 file changed, 27 insertions(+), 2 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -397,6 +397,24 @@ void path_put(struct path *path) + } + EXPORT_SYMBOL(path_put); + ++/** ++ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root ++ * @path: nameidate to verify ++ * ++ * Rename can sometimes move a file or directory outside of a bind ++ * mount, path_connected allows those cases to be detected. ++ */ ++static bool path_connected(const struct path *path) ++{ ++ struct vfsmount *mnt = path->mnt; ++ ++ /* Only bind mounts can have disconnected paths */ ++ if (mnt->mnt_root == mnt->mnt_sb->s_root) ++ return true; ++ ++ return is_subdir(path->dentry, mnt->mnt_root); ++} ++ + /* + * Path walking has 2 modes, rcu-walk and ref-walk (see + * Documentation/filesystems/path-lookup.txt). In situations when we can't +@@ -945,6 +963,8 @@ static int follow_dotdot_rcu(struct name + goto failed; + nd->path.dentry = parent; + nd->seq = seq; ++ if (unlikely(!path_connected(&nd->path))) ++ goto failed; + break; + } + if (!follow_up_rcu(&nd->path)) +@@ -1029,7 +1049,7 @@ static void follow_mount(struct path *pa + } + } + +-static void follow_dotdot(struct nameidata *nd) ++static int follow_dotdot(struct nameidata *nd) + { + if (!nd->root.mnt) + set_root(nd); +@@ -1045,6 +1065,10 @@ static void follow_dotdot(struct nameida + /* rare case of legitimate dget_parent()... */ + nd->path.dentry = dget_parent(nd->path.dentry); + dput(old); ++ if (unlikely(!path_connected(&nd->path))) { ++ path_put(&nd->path); ++ return -ENOENT; ++ } + break; + } + if (!follow_up(&nd->path)) +@@ -1052,6 +1076,7 @@ static void follow_dotdot(struct nameida + } + follow_mount(&nd->path); + nd->inode = nd->path.dentry->d_inode; ++ return 0; + } + + /* +@@ -1252,7 +1277,7 @@ static inline int handle_dots(struct nam + if (follow_dotdot_rcu(nd)) + return -ECHILD; + } else +- follow_dotdot(nd); ++ return follow_dotdot(nd); + } + return 0; + } |