Re: [PATCHES] Bind mount escape fixes (CVE-2015-2925)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Oct 01, 2015 at 11:15:47AM -0500, Eric W. Biederman wrote:
> 
> With a strategically placed rename bind mounts can be tricked into
> giving processes access to the entire filesystem instead of just a piece
> of it.  This misfeature has existed since bind mounts were introduced
> into the kernel.  This issue has been fixed in Linus's tree and below
> are my tested backports of the fixes to 4.2.1, 4.1.8, 3.18.21, 3.14.53,
> 3.12.48, 3.10.89, 3.4.109, 3.2.71, 2.6.32.68.  All of the kernels 
> currently listed as being active.
> 
> The fixes backported are:
> cde93be45a8a90d8c264c776fab63487b5038a65 dcache: Handle escaped paths in prepend_path
> 397d425dc26da728396e66d392d5dcb8dac30c37 vfs: Test for and handle paths that are unreachable from their mnt_root
> 
> As I backported the patches the logical work remained the same but the
> exact implemenation details changed to fit in with the vfs present in
> the older kernels.  Minor changes were needed for every the backport to
> every kernel except 4.2.1.
> 
> Please queue these changes for the appropriate stable trees.
> 

Thank you, Eric.  I'm queuing these for the 3.16 kernel as well (picking
the 3.18 backports).

Cheers,
--
Luís
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]