From 8ed388e21bf189bbd0f93b452b53d497cf3ecd9b Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Mon, 11 May 2015 03:29:09 +0000 Subject: mnt: Add missing pieces of fix for CVE-2014-9717 svn path=/dists/trunk/linux/; revision=22605 --- debian/changelog | 5 ++- ...w-for-the-possibility-that-m_list-or-s_li.patch | 51 ++++++++++++++++++++++ ...llect_mounts-when-applied-to-unmounted-mo.patch | 44 +++++++++++++++++++ debian/patches/series | 2 + 4 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 debian/patches/bugfix/all/fs_pin-allow-for-the-possibility-that-m_list-or-s_li.patch create mode 100644 debian/patches/bugfix/all/mnt-fail-collect_mounts-when-applied-to-unmounted-mo.patch diff --git a/debian/changelog b/debian/changelog index 29dce326daec..70562ed249fa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -147,6 +147,9 @@ linux (4.0.2-1) unstable; urgency=medium * [x86] nfc: Enable NFC_HCI, NFC_MEI_PHY, NFC_PN544, NFC_PN544_MEI as modules (Closes: #770323) * Set ABI to 1 + * mnt: Add missing pieces of fix for CVE-2014-9717: + - mnt: Fail collect_mounts when applied to unmounted mounts + - fs_pin: Allow for the possibility that m_list or s_list go unused. [ Ian Campbell ] * [armhf] Enable support for Freescale SNVS RTC. (Closes: #782364) @@ -155,7 +158,7 @@ linux (4.0.2-1) unstable; urgency=medium udeb. Patches from both Vagrant Cascadian and Wookey. (Closes: #783275) * [arm*] Install DTBS using dtbs_install target. (Closes: #784761) - -- Ben Hutchings Sun, 10 May 2015 21:08:37 +0100 + -- Ben Hutchings Mon, 11 May 2015 04:29:06 +0100 linux (4.0-1~exp1) experimental; urgency=medium diff --git a/debian/patches/bugfix/all/fs_pin-allow-for-the-possibility-that-m_list-or-s_li.patch b/debian/patches/bugfix/all/fs_pin-allow-for-the-possibility-that-m_list-or-s_li.patch new file mode 100644 index 000000000000..41b164245a95 --- /dev/null +++ b/debian/patches/bugfix/all/fs_pin-allow-for-the-possibility-that-m_list-or-s_li.patch @@ -0,0 +1,51 @@ +From: "Eric W. Biederman" +Date: Thu, 2 Apr 2015 16:35:48 -0500 +Subject: fs_pin: Allow for the possibility that m_list or s_list go unused. +Origin: https://git.kernel.org/linus/820f9f147dcce2602eefd9b575bbbd9ea14f0953 + +This is needed to support lazily umounting locked mounts. Because the +entire unmounted subtree needs to stay together until there are no +users with references to any part of the subtree. + +To support this guarantee that the fs_pin m_list and s_list nodes +are initialized by initializing them in init_fs_pin allowing +for the possibility that pin_insert_group does not touch them. + +Further use hlist_del_init in pin_remove so that there is +a hlist_unhashed test before the list we attempt to update +the previous list item. + +Signed-off-by: "Eric W. Biederman" +--- + fs/fs_pin.c | 4 ++-- + include/linux/fs_pin.h | 2 ++ + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/fs_pin.c b/fs/fs_pin.c +index b06c987..611b540 100644 +--- a/fs/fs_pin.c ++++ b/fs/fs_pin.c +@@ -9,8 +9,8 @@ static DEFINE_SPINLOCK(pin_lock); + void pin_remove(struct fs_pin *pin) + { + spin_lock(&pin_lock); +- hlist_del(&pin->m_list); +- hlist_del(&pin->s_list); ++ hlist_del_init(&pin->m_list); ++ hlist_del_init(&pin->s_list); + spin_unlock(&pin_lock); + spin_lock_irq(&pin->wait.lock); + pin->done = 1; +diff --git a/include/linux/fs_pin.h b/include/linux/fs_pin.h +index 9dc4e03..3886b3b 100644 +--- a/include/linux/fs_pin.h ++++ b/include/linux/fs_pin.h +@@ -13,6 +13,8 @@ struct vfsmount; + static inline void init_fs_pin(struct fs_pin *p, void (*kill)(struct fs_pin *)) + { + init_waitqueue_head(&p->wait); ++ INIT_HLIST_NODE(&p->s_list); ++ INIT_HLIST_NODE(&p->m_list); + p->kill = kill; + } + diff --git a/debian/patches/bugfix/all/mnt-fail-collect_mounts-when-applied-to-unmounted-mo.patch b/debian/patches/bugfix/all/mnt-fail-collect_mounts-when-applied-to-unmounted-mo.patch new file mode 100644 index 000000000000..5c865967a0cf --- /dev/null +++ b/debian/patches/bugfix/all/mnt-fail-collect_mounts-when-applied-to-unmounted-mo.patch @@ -0,0 +1,44 @@ +From: "Eric W. Biederman" +Date: Wed, 7 Jan 2015 14:28:26 -0600 +Subject: mnt: Fail collect_mounts when applied to unmounted mounts +Origin: https://git.kernel.org/linus/cd4a40174b71acd021877341684d8bb1dc8ea4ae + +The only users of collect_mounts are in audit_tree.c + +In audit_trim_trees and audit_add_tree_rule the path passed into +collect_mounts is generated from kern_path passed an audit_tree +pathname which is guaranteed to be an absolute path. In those cases +collect_mounts is obviously intended to work on mounted paths and +if a race results in paths that are unmounted when collect_mounts +it is reasonable to fail early. + +The paths passed into audit_tag_tree don't have the absolute path +check. But are used to play with fsnotify and otherwise interact with +the audit_trees, so again operating only on mounted paths appears +reasonable. + +Avoid having to worry about what happens when we try and audit +unmounted filesystems by restricting collect_mounts to mounts +that appear in the mount tree. + +Signed-off-by: "Eric W. Biederman" +--- + fs/namespace.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1709,8 +1709,11 @@ struct vfsmount *collect_mounts(struct p + { + struct mount *tree; + namespace_lock(); +- tree = copy_tree(real_mount(path->mnt), path->dentry, +- CL_COPY_ALL | CL_PRIVATE); ++ if (!check_mnt(real_mount(path->mnt))) ++ tree = ERR_PTR(-EINVAL); ++ else ++ tree = copy_tree(real_mount(path->mnt), path->dentry, ++ CL_COPY_ALL | CL_PRIVATE); + namespace_unlock(); + if (IS_ERR(tree)) + return ERR_CAST(tree); diff --git a/debian/patches/series b/debian/patches/series index 599720dddf63..0a6c94320cec 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -66,3 +66,5 @@ debian/emmc-don-t-initialize-partitions-on-rpmb-flagged-areas.patch features/all/efi-autoload-efi-pstore.patch bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch bugfix/all/path_openat-fix-double-fput.patch +bugfix/all/mnt-fail-collect_mounts-when-applied-to-unmounted-mo.patch +bugfix/all/fs_pin-allow-for-the-possibility-that-m_list-or-s_li.patch -- cgit v1.2.3