diff options
Diffstat (limited to 'mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch')
-rw-r--r-- | mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch b/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch new file mode 100644 index 000000000..0faadaf55 --- /dev/null +++ b/mnt-Prevent-pivot_root-from-creating-a-loop-in-the-m.patch @@ -0,0 +1,44 @@ +From: "Eric W. Biederman" <ebiederm@xmission.com> +Date: Wed, 8 Oct 2014 10:42:27 -0700 +Subject: [PATCH] mnt: Prevent pivot_root from creating a loop in the mount + tree + +Andy Lutomirski recently demonstrated that when chroot is used to set +the root path below the path for the new ``root'' passed to pivot_root +the pivot_root system call succeeds and leaks mounts. + +In examining the code I see that starting with a new root that is +below the current root in the mount tree will result in a loop in the +mount tree after the mounts are detached and then reattached to one +another. Resulting in all kinds of ugliness including a leak of that +mounts involved in the leak of the mount loop. + +Prevent this problem by ensuring that the new mount is reachable from +the current root of the mount tree. + +Upstream-status: Submitted for 3.18 +Bugzilla: 1151095,1151484 + +Reported-by: Andy Lutomirski <luto@amacapital.net> +Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> +--- + fs/namespace.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/namespace.c b/fs/namespace.c +index ef42d9bee212..74647c2fe69c 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2820,6 +2820,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, + /* make sure we can reach put_old from new_root */ + if (!is_path_reachable(old_mnt, old.dentry, &new)) + goto out4; ++ /* make certain new is below the root */ ++ if (!is_path_reachable(new_mnt, new.dentry, &root)) ++ goto out4; + root_mp->m_count++; /* pin it so it won't go away */ + lock_mount_hash(); + detach_mnt(new_mnt, &parent_path); +-- +1.9.3 + |