diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2014-10-15 08:43:27 +0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2014-10-15 08:43:27 +0400 |
commit | ce9d7f7b45930ed16c512aabcfe651d44f1c8619 (patch) | |
tree | 375fa3cc99a5886991de15ecaa305c226e0b9327 | |
parent | 2d65a9f48fcdf7866aab6457bc707ca233e0c791 (diff) | |
parent | 0d0826019e529f21c84687521d03f60cd241ca7d (diff) | |
download | linux-ce9d7f7b45930ed16c512aabcfe651d44f1c8619.tar.xz |
Merge branch 'CVE-2014-7970' of git://git.kernel.org/pub/scm/linux/kernel/git/luto/linux
Pull pivot_root() fix from Andy Lutomirski.
Prevent a leak of unreachable mounts.
* 'CVE-2014-7970' of git://git.kernel.org/pub/scm/linux/kernel/git/luto/linux:
mnt: Prevent pivot_root from creating a loop in the mount tree
-rw-r--r-- | fs/namespace.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/namespace.c b/fs/namespace.c index 2651328d1790..fbba8b17330d 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2915,6 +2915,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, /* make sure we can reach put_old from new_root */ if (!is_path_reachable(old_mnt, old.dentry, &new)) goto out4; + /* make certain new is below the root */ + if (!is_path_reachable(new_mnt, new.dentry, &root)) + goto out4; root_mp->m_count++; /* pin it so it won't go away */ lock_mount_hash(); detach_mnt(new_mnt, &parent_path); |