Add some bind mount fixes for CVE-2015-2925

3 files changed, 180 insertions, 0 deletions

diff --git a/patches/dcache-handle-escaped-paths-in-prepend_path.patch b/patches/dcache-handle-escaped-paths-in-prepend_path.patch
new file mode 100644
index 0000000..033b139
--- /dev/null
+++ b/patches/dcache-handle-escaped-paths-in-prepend_path.patch
@@ -0,0 +1,71 @@
+From d1c3c58267ed18be9275f53c49673cb970165f2a Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sat, 15 Aug 2015 13:36:12 -0500
+Subject: [PATCH 1/2] dcache: Handle escaped paths in prepend_path
+
+commit cde93be45a8a90d8c264c776fab63487b5038a65 upstream.
+
+A rename can result in a dentry that by walking up d_parent
+will never reach it's mnt_root.  For lack of a better term
+I call this an escaped path.
+
+prepend_path is called by four different functions __d_path,
+d_absolute_path, d_path, and getcwd.
+
+__d_path only wants to see paths are connected to the root it passes
+in.  So __d_path needs prepend_path to return an error.
+
+d_absolute_path similarly wants to see paths that are connected to
+some root.  Escaped paths are not connected to any mnt_root so
+d_absolute_path needs prepend_path to return an error greater
+than 1.  So escaped paths will be treated like paths on lazily
+unmounted mounts.
+
+getcwd needs to prepend "(unreachable)" so getcwd also needs
+prepend_path to return an error.
+
+d_path is the interesting hold out.  d_path just wants to print
+something, and does not care about the weird cases.  Which raises
+the question what should be printed?
+
+Given that <escaped_path>/<anything> should result in -ENOENT I
+believe it is desirable for escaped paths to be printed as empty
+paths.  As there are not really any meaninful path components when
+considered from the perspective of a mount tree.
+
+So tweak prepend_path to return an empty path with an new error
+code of 3 when it encounters an escaped path.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Zefan Li <lizefan@huawei.com>
+---
+ fs/dcache.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/dcache.c
++++ b/fs/dcache.c
+@@ -2518,6 +2518,8 @@ static int prepend_path(const struct pat
+ 	struct dentry *dentry = path->dentry;
+ 	struct vfsmount *vfsmnt = path->mnt;
+ 	struct mount *mnt = real_mount(vfsmnt);
++	char *orig_buffer = *buffer;
++	int orig_len = *buflen;
+ 	bool slash = false;
+ 	int error = 0;
+ 
+@@ -2525,6 +2527,14 @@ static int prepend_path(const struct pat
+ 		struct dentry * parent;
+ 
+ 		if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
++			/* Escaped? */
++			if (dentry != vfsmnt->mnt_root) {
++				*buffer = orig_buffer;
++				*buflen = orig_len;
++				slash = false;
++				error = 3;
++				goto global_root;
++			}
+ 			/* Global root? */
+ 			if (!mnt_has_parent(mnt))
+ 				goto global_root;
diff --git a/patches/series b/patches/series
index a963646..5f72d7d 100644
--- a/patches/series
+++ b/patches/series
@@ -61,3 +61,5 @@ arm-fix-incorrect-backport-of-0b59d8806a31.patch
 usb-dwc3-reset-the-transfer-resource-index-on-set_interface.patch
 jbd2-avoid-infinite-loop-when-destroying-aborted-journal.patch
 ib-qib-change-lkey-table-allocation-to-support-more-mrs.patch
+dcache-handle-escaped-paths-in-prepend_path.patch
+vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch
diff --git a/patches/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch b/patches/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch
new file mode 100644
index 0000000..eb57b64
--- /dev/null
+++ b/patches/vfs-test-for-and-handle-paths-that-are-unreachable-from-their-mnt_root.patch
@@ -0,0 +1,107 @@
+From b97fd34ebf9398a1f72b3e04cf371b154c1cdb4f Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Sat, 15 Aug 2015 20:27:13 -0500
+Subject: [PATCH 2/2] vfs: Test for and handle paths that are unreachable from
+ their mnt_root
+
+commit 397d425dc26da728396e66d392d5dcb8dac30c37 upstream.
+
+In rare cases a directory can be renamed out from under a bind mount.
+In those cases without special handling it becomes possible to walk up
+the directory tree to the root dentry of the filesystem and down
+from the root dentry to every other file or directory on the filesystem.
+
+Like division by zero .. from an unconnected path can not be given
+a useful semantic as there is no predicting at which path component
+the code will realize it is unconnected.  We certainly can not match
+the current behavior as the current behavior is a security hole.
+
+Therefore when encounting .. when following an unconnected path
+return -ENOENT.
+
+- Add a function path_connected to verify path->dentry is reachable
+  from path->mnt.mnt_root.  AKA to validate that rename did not do
+  something nasty to the bind mount.
+
+  To avoid races path_connected must be called after following a path
+  component to it's next path component.
+
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+---
+ fs/namei.c |   29 +++++++++++++++++++++++++++--
+ 1 file changed, 27 insertions(+), 2 deletions(-)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -397,6 +397,24 @@ void path_put(struct path *path)
+ }
+ EXPORT_SYMBOL(path_put);
+ 
++/**
++ * path_connected - Verify that a path->dentry is below path->mnt.mnt_root
++ * @path: nameidate to verify
++ *
++ * Rename can sometimes move a file or directory outside of a bind
++ * mount, path_connected allows those cases to be detected.
++ */
++static bool path_connected(const struct path *path)
++{
++	struct vfsmount *mnt = path->mnt;
++
++	/* Only bind mounts can have disconnected paths */
++	if (mnt->mnt_root == mnt->mnt_sb->s_root)
++		return true;
++
++	return is_subdir(path->dentry, mnt->mnt_root);
++}
++
+ /*
+  * Path walking has 2 modes, rcu-walk and ref-walk (see
+  * Documentation/filesystems/path-lookup.txt).  In situations when we can't
+@@ -945,6 +963,8 @@ static int follow_dotdot_rcu(struct name
+ 				goto failed;
+ 			nd->path.dentry = parent;
+ 			nd->seq = seq;
++			if (unlikely(!path_connected(&nd->path)))
++				goto failed;
+ 			break;
+ 		}
+ 		if (!follow_up_rcu(&nd->path))
+@@ -1029,7 +1049,7 @@ static void follow_mount(struct path *pa
+ 	}
+ }
+ 
+-static void follow_dotdot(struct nameidata *nd)
++static int follow_dotdot(struct nameidata *nd)
+ {
+ 	if (!nd->root.mnt)
+ 		set_root(nd);
+@@ -1045,6 +1065,10 @@ static void follow_dotdot(struct nameida
+ 			/* rare case of legitimate dget_parent()... */
+ 			nd->path.dentry = dget_parent(nd->path.dentry);
+ 			dput(old);
++			if (unlikely(!path_connected(&nd->path))) {
++				path_put(&nd->path);
++				return -ENOENT;
++			}
+ 			break;
+ 		}
+ 		if (!follow_up(&nd->path))
+@@ -1052,6 +1076,7 @@ static void follow_dotdot(struct nameida
+ 	}
+ 	follow_mount(&nd->path);
+ 	nd->inode = nd->path.dentry->d_inode;
++	return 0;
+ }
+ 
+ /*
+@@ -1252,7 +1277,7 @@ static inline int handle_dots(struct nam
+ 			if (follow_dotdot_rcu(nd))
+ 				return -ECHILD;
+ 		} else
+-			follow_dotdot(nd);
++			return follow_dotdot(nd);
+ 	}
+ 	return 0;
+ }