[Precise][CVE-2014-7970][PATCH 1/3] vfs: new internal helper: mnt_has_parent(mnt)

Luis Henriques luis.henriques at canonical.com
Thu Jan 15 17:49:25 UTC 2015 

From: Al Viro <viro at zeniv.linux.org.uk>

vfsmounts have ->mnt_parent pointing either to a different vfsmount
or to itself; it's never NULL and termination condition in loops
traversing the tree towards root is mnt == mnt->mnt_parent.  At least
one place (see the next patch) is confused about what's going on;
let's add an explicit helper checking it right way and use it in
all places where we need it.  Not that there had been too many,
but...

Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
(cherry picked from commit b2dba1af3c4157040303a76d25216b1713d333d0)
CVE-2014-7970
BugLink: http://bugs.launchpad.net/bugs/1383356
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 fs/dcache.c    |  6 +++---
 fs/mount.h     |  6 ++++++
 fs/namespace.c | 14 +++++++-------
 fs/pnode.c     |  2 +-
 fs/pnode.h     |  2 +-
 5 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/fs/dcache.c b/fs/dcache.c
index 3f657424e46d..7ece12104580 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -38,6 +38,7 @@
 #include <linux/prefetch.h>
 #include <linux/ratelimit.h>
 #include "internal.h"
+#include "mount.h"
 
 /*
  * Usage:
@@ -2458,9 +2459,8 @@ static int prepend_path(const struct path *path,
 
 		if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
 			/* Global root? */
-			if (vfsmnt->mnt_parent == vfsmnt) {
+			if (!mnt_has_parent(vfsmnt))
 				goto global_root;
-			}
 			dentry = vfsmnt->mnt_mountpoint;
 			vfsmnt = vfsmnt->mnt_parent;
 			continue;
@@ -2867,7 +2867,7 @@ int path_is_under(struct path *path1, struct path *path2)
 	br_read_lock(vfsmount_lock);
 	if (mnt != path2->mnt) {
 		for (;;) {
-			if (mnt->mnt_parent == mnt) {
+			if (!mnt_has_parent(mnt)) {
 				br_read_unlock(vfsmount_lock);
 				return 0;
 			}
diff --git a/fs/mount.h b/fs/mount.h
new file mode 100644
index 000000000000..7890e49f74ef
--- /dev/null
+++ b/fs/mount.h
@@ -0,0 +1,6 @@
+#include <linux/mount.h>
+
+static inline int mnt_has_parent(struct vfsmount *mnt)
+{
+	return mnt != mnt->mnt_parent;
+}
diff --git a/fs/namespace.c b/fs/namespace.c
index 0c0b9e71eca7..b533bb5857b8 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1207,7 +1207,7 @@ void release_mounts(struct list_head *head)
 	while (!list_empty(head)) {
 		mnt = list_first_entry(head, struct vfsmount, mnt_hash);
 		list_del_init(&mnt->mnt_hash);
-		if (mnt->mnt_parent != mnt) {
+		if (mnt_has_parent(mnt)) {
 			struct dentry *dentry;
 			struct vfsmount *m;
 
@@ -1248,7 +1248,7 @@ void umount_tree(struct vfsmount *mnt, int propagate, struct list_head *kill)
 			__mnt_make_shortterm(p);
 		p->mnt_ns = NULL;
 		list_del_init(&p->mnt_child);
-		if (p->mnt_parent != p) {
+		if (mnt_has_parent(p)) {
 			p->mnt_parent->mnt_ghosts++;
 			dentry_reset_mounted(p->mnt_parent, p->mnt_mountpoint);
 		}
@@ -1914,7 +1914,7 @@ static int do_move_mount(struct path *path, char *old_name)
 	if (old_path.dentry != old_path.mnt->mnt_root)
 		goto out1;
 
-	if (old_path.mnt == old_path.mnt->mnt_parent)
+	if (!mnt_has_parent(old_path.mnt))
 		goto out1;
 
 	if (S_ISDIR(path->dentry->d_inode->i_mode) !=
@@ -1934,7 +1934,7 @@ static int do_move_mount(struct path *path, char *old_name)
 	    tree_contains_unbindable(old_path.mnt))
 		goto out1;
 	err = -ELOOP;
-	for (p = path->mnt; p->mnt_parent != p; p = p->mnt_parent)
+	for (p = path->mnt; mnt_has_parent(p); p = p->mnt_parent)
 		if (p == old_path.mnt)
 			goto out1;
 
@@ -2659,17 +2659,17 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
 	error = -EINVAL;
 	if (root.mnt->mnt_root != root.dentry)
 		goto out4; /* not a mountpoint */
-	if (root.mnt->mnt_parent == root.mnt)
+	if (!mnt_has_parent(root.mnt))
 		goto out4; /* not attached */
 	if (new.mnt->mnt_root != new.dentry)
 		goto out4; /* not a mountpoint */
-	if (new.mnt->mnt_parent == new.mnt)
+	if (!mnt_has_parent(new.mnt))
 		goto out4; /* not attached */
 	/* make sure we can reach put_old from new_root */
 	tmp = old.mnt;
 	if (tmp != new.mnt) {
 		for (;;) {
-			if (tmp->mnt_parent == tmp)
+			if (!mnt_has_parent(tmp))
 				goto out4; /* already mounted on put_old */
 			if (tmp->mnt_parent == new.mnt)
 				break;
diff --git a/fs/pnode.c b/fs/pnode.c
index d42514e32380..f1cd958b92e5 100644
--- a/fs/pnode.c
+++ b/fs/pnode.c
@@ -36,7 +36,7 @@ static inline struct vfsmount *next_slave(struct vfsmount *p)
 static bool is_path_reachable(struct vfsmount *mnt, struct dentry *dentry,
 			 const struct path *root)
 {
-	while (mnt != root->mnt && mnt->mnt_parent != mnt) {
+	while (mnt != root->mnt && mnt_has_parent(mnt)) {
 		dentry = mnt->mnt_mountpoint;
 		mnt = mnt->mnt_parent;
 	}
diff --git a/fs/pnode.h b/fs/pnode.h
index 1ea4ae1efcd3..e4d24fad0b44 100644
--- a/fs/pnode.h
+++ b/fs/pnode.h
@@ -9,7 +9,7 @@
 #define _LINUX_PNODE_H
 
 #include <linux/list.h>
-#include <linux/mount.h>
+#include "mount.h"
 
 #define IS_MNT_SHARED(mnt) (mnt->mnt_flags & MNT_SHARED)
 #define IS_MNT_SLAVE(mnt) (mnt->mnt_master)
-- 
2.1.4

More information about the kernel-team mailing list