summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2014-10-15 08:43:27 +0400
committerLinus Torvalds <torvalds@linux-foundation.org>2014-10-15 08:43:27 +0400
commitce9d7f7b45930ed16c512aabcfe651d44f1c8619 (patch)
tree375fa3cc99a5886991de15ecaa305c226e0b9327
parent2d65a9f48fcdf7866aab6457bc707ca233e0c791 (diff)
parent0d0826019e529f21c84687521d03f60cd241ca7d (diff)
downloadlinux-ce9d7f7b45930ed16c512aabcfe651d44f1c8619.tar.xz
Merge branch 'CVE-2014-7970' of git://git.kernel.org/pub/scm/linux/kernel/git/luto/linux
Pull pivot_root() fix from Andy Lutomirski. Prevent a leak of unreachable mounts. * 'CVE-2014-7970' of git://git.kernel.org/pub/scm/linux/kernel/git/luto/linux: mnt: Prevent pivot_root from creating a loop in the mount tree
-rw-r--r--fs/namespace.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/namespace.c b/fs/namespace.c
index 2651328d1790..fbba8b17330d 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2915,6 +2915,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
/* make sure we can reach put_old from new_root */
if (!is_path_reachable(old_mnt, old.dentry, &new))
goto out4;
+ /* make certain new is below the root */
+ if (!is_path_reachable(new_mnt, new.dentry, &root))
+ goto out4;
root_mp->m_count++; /* pin it so it won't go away */
lock_mount_hash();
detach_mnt(new_mnt, &parent_path);