Ack: [Lucid][Precise][Trusty][Utopic][CVE-2014-7975] fs: Add a missing permission check to do_umount
Seth Forshee
seth.forshee at canonical.com
Tue Oct 21 16:36:07 UTC 2014
On Tue, Oct 21, 2014 at 05:14:22PM +0100, Luis Henriques wrote:
> From: Andy Lutomirski <luto at amacapital.net>
>
> Accessing do_remount_sb should require global CAP_SYS_ADMIN, but
> only one of the two call sites was appropriately protected.
>
> Fixes CVE-2014-7975.
>
> Signed-off-by: Andy Lutomirski <luto at amacapital.net>
> (cherry picked from commit a1480dcc3c706e309a88884723446f2e84fedd5b)
> CVE-2014-7975
> BugLink: http://bugs.launchpad.net/bugs/1383358
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> fs/namespace.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index d6e1c030b961..cb83c66d5280 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -1080,6 +1080,8 @@ static int do_umount(struct vfsmount *mnt, int flags)
> * Special case for "unmounting" root ...
> * we just try to remount it readonly.
> */
> + if (!capable(CAP_SYS_ADMIN))
> + return -EPERM;
> down_write(&sb->s_umount);
> if (!(sb->s_flags & MS_RDONLY))
> retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
> --
> 2.1.0
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list