ACK: [Lucid][Precise][Trusty][Utopic][CVE-2014-7975] fs: Add a missing permission check to do_umount

Brad Figg brad.figg at canonical.com
Tue Oct 21 17:18:34 UTC 2014


On 10/21/2014 12:14 PM, Luis Henriques wrote:
> From: Andy Lutomirski <luto at amacapital.net>
> 
> Accessing do_remount_sb should require global CAP_SYS_ADMIN, but
> only one of the two call sites was appropriately protected.
> 
> Fixes CVE-2014-7975.
> 
> Signed-off-by: Andy Lutomirski <luto at amacapital.net>
> (cherry picked from commit a1480dcc3c706e309a88884723446f2e84fedd5b)
> CVE-2014-7975
> BugLink: http://bugs.launchpad.net/bugs/1383358
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  fs/namespace.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/namespace.c b/fs/namespace.c
> index d6e1c030b961..cb83c66d5280 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -1080,6 +1080,8 @@ static int do_umount(struct vfsmount *mnt, int flags)
>  		 * Special case for "unmounting" root ...
>  		 * we just try to remount it readonly.
>  		 */
> +		if (!capable(CAP_SYS_ADMIN))
> +			return -EPERM;
>  		down_write(&sb->s_umount);
>  		if (!(sb->s_flags & MS_RDONLY))
>  			retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
> 


-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com




More information about the kernel-team mailing list