Commit 0d082601 authored by Eric W. Biederman's avatar Eric W. Biederman Committed by Andy Lutomirski
Browse files

mnt: Prevent pivot_root from creating a loop in the mount tree 



Andy Lutomirski recently demonstrated that when chroot is used to set
the root path below the path for the new ``root'' passed to pivot_root
the pivot_root system call succeeds and leaks mounts.

In examining the code I see that starting with a new root that is
below the current root in the mount tree will result in a loop in the
mount tree after the mounts are detached and then reattached to one
another.  Resulting in all kinds of ugliness including a leak of that
mounts involved in the leak of the mount loop.

Prevent this problem by ensuring that the new mount is reachable from
the current root of the mount tree.

[Added stable cc.  Fixes CVE-2014-7970.  --Andy]

Cc: stable@vger.kernel.org
Reported-by: default avatarAndy Lutomirski <luto@amacapital.net>
Reviewed-by: default avatarAndy Lutomirski <luto@amacapital.net>
Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org


Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: default avatarAndy Lutomirski <luto@amacapital.net>
parent c798360c

fs/namespace.c

+3 −0
Original line number Diff line number Diff line
@@ -2820,6 +2820,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, 
	/* make sure we can reach put_old from new_root */

	if (!is_path_reachable(old_mnt, old.dentry, &new))

		goto out4;

	/* make certain new is below the root */

	if (!is_path_reachable(new_mnt, new.dentry, &root))

		goto out4;

	root_mp->m_count++; /* pin it so it won't go away */

	lock_mount_hash();

	detach_mnt(new_mnt, &parent_path);

CRA Git | Maintained and supported by SUSTech CRA and CCSE