diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-10-15 00:43:27 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-10-15 00:43:27 -0400 |
| commit | ce9d7f7b45930ed16c512aabcfe651d44f1c8619 (patch) | |
| tree | 375fa3cc99a5886991de15ecaa305c226e0b9327 /fs/namespace.c | |
| parent | 2d65a9f48fcdf7866aab6457bc707ca233e0c791 (diff) | |
| parent | 0d0826019e529f21c84687521d03f60cd241ca7d (diff) | |
Merge branch 'CVE-2014-7970' of git://git.kernel.org/pub/scm/linux/kernel/git/luto/linux
Pull pivot_root() fix from Andy Lutomirski.
Prevent a leak of unreachable mounts.
* 'CVE-2014-7970' of git://git.kernel.org/pub/scm/linux/kernel/git/luto/linux:
mnt: Prevent pivot_root from creating a loop in the mount tree
Diffstat (limited to 'fs/namespace.c')
| -rw-r--r-- | fs/namespace.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/namespace.c b/fs/namespace.c index 2651328d1790..fbba8b17330d 100644 --- a/fs/namespace.c +++ b/fs/namespace.c | |||
| @@ -2915,6 +2915,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, | |||
| 2915 | /* make sure we can reach put_old from new_root */ | 2915 | /* make sure we can reach put_old from new_root */ |
| 2916 | if (!is_path_reachable(old_mnt, old.dentry, &new)) | 2916 | if (!is_path_reachable(old_mnt, old.dentry, &new)) |
| 2917 | goto out4; | 2917 | goto out4; |
| 2918 | /* make certain new is below the root */ | ||
| 2919 | if (!is_path_reachable(new_mnt, new.dentry, &root)) | ||
| 2920 | goto out4; | ||
| 2918 | root_mp->m_count++; /* pin it so it won't go away */ | 2921 | root_mp->m_count++; /* pin it so it won't go away */ |
| 2919 | lock_mount_hash(); | 2922 | lock_mount_hash(); |
| 2920 | detach_mnt(new_mnt, &parent_path); | 2923 | detach_mnt(new_mnt, &parent_path); |