[Precise][CVE-2014-7970][PATCH 2/3] vfs: more mnt_parent cleanups

Luis Henriques luis.henriques at canonical.com
Thu Jan 15 17:49:26 UTC 2015 

From: Al Viro <viro at zeniv.linux.org.uk>

a) mount --move is checking that ->mnt_parent is non-NULL before
looking if that parent happens to be shared; ->mnt_parent is never
NULL and it's not even an misspelled !mnt_has_parent()

b) pivot_root open-codes is_path_reachable(), poorly.

c) so does path_is_under(), while we are at it.

Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
(backported from commit afac7cba7ed31968a95e181dc25e204e45009ea8)
CVE-2014-7970
BugLink: http://bugs.launchpad.net/bugs/1383356
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 fs/dcache.c    | 25 -------------------------
 fs/namespace.c | 42 +++++++++++++++++++++++++++---------------
 fs/pnode.c     | 15 ---------------
 fs/pnode.h     |  2 ++
 4 files changed, 29 insertions(+), 55 deletions(-)

diff --git a/fs/dcache.c b/fs/dcache.c
index 7ece12104580..d8f55abcdac6 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2858,31 +2858,6 @@ int is_subdir(struct dentry *new_dentry, struct dentry *old_dentry)
 	return result;
 }
 
-int path_is_under(struct path *path1, struct path *path2)
-{
-	struct vfsmount *mnt = path1->mnt;
-	struct dentry *dentry = path1->dentry;
-	int res;
-
-	br_read_lock(vfsmount_lock);
-	if (mnt != path2->mnt) {
-		for (;;) {
-			if (!mnt_has_parent(mnt)) {
-				br_read_unlock(vfsmount_lock);
-				return 0;
-			}
-			if (mnt->mnt_parent == path2->mnt)
-				break;
-			mnt = mnt->mnt_parent;
-		}
-		dentry = mnt->mnt_mountpoint;
-	}
-	res = is_subdir(dentry, path2->dentry);
-	br_read_unlock(vfsmount_lock);
-	return res;
-}
-EXPORT_SYMBOL(path_is_under);
-
 void d_genocide(struct dentry *root)
 {
 	struct dentry *this_parent;
diff --git a/fs/namespace.c b/fs/namespace.c
index b533bb5857b8..eaf076a2ed4a 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1923,8 +1923,7 @@ static int do_move_mount(struct path *path, char *old_name)
 	/*
 	 * Don't move a mount residing in a shared parent.
 	 */
-	if (old_path.mnt->mnt_parent &&
-	    IS_MNT_SHARED(old_path.mnt->mnt_parent))
+	if (IS_MNT_SHARED(old_path.mnt->mnt_parent))
 		goto out1;
 	/*
 	 * Don't move a mount tree containing unbindable mounts to a destination
@@ -2589,6 +2588,31 @@ out_type:
 }
 
 /*
+ * Return true if path is reachable from root
+ *
+ * namespace_sem or vfsmount_lock is held
+ */
+bool is_path_reachable(struct vfsmount *mnt, struct dentry *dentry,
+			 const struct path *root)
+{
+	while (mnt != root->mnt && mnt_has_parent(mnt)) {
+		dentry = mnt->mnt_mountpoint;
+		mnt = mnt->mnt_parent;
+	}
+	return mnt == root->mnt && is_subdir(dentry, root->dentry);
+}
+
+int path_is_under(struct path *path1, struct path *path2)
+{
+	int res;
+	br_read_lock(vfsmount_lock);
+	res = is_path_reachable(path1->mnt, path1->dentry, path2);
+	br_read_unlock(vfsmount_lock);
+	return res;
+}
+EXPORT_SYMBOL(path_is_under);
+
+/*
  * pivot_root Semantics:
  * Moves the root file system of the current process to the directory put_old,
  * makes new_root as the new root file system of the current process, and sets
@@ -2616,7 +2640,6 @@ out_type:
 SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
 		const char __user *, put_old)
 {
-	struct vfsmount *tmp;
 	struct path new, old, parent_path, root_parent, root;
 	int error;
 
@@ -2666,18 +2689,7 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
 	if (!mnt_has_parent(new.mnt))
 		goto out4; /* not attached */
 	/* make sure we can reach put_old from new_root */
-	tmp = old.mnt;
-	if (tmp != new.mnt) {
-		for (;;) {
-			if (!mnt_has_parent(tmp))
-				goto out4; /* already mounted on put_old */
-			if (tmp->mnt_parent == new.mnt)
-				break;
-			tmp = tmp->mnt_parent;
-		}
-		if (!is_subdir(tmp->mnt_mountpoint, new.dentry))
-			goto out4;
-	} else if (!is_subdir(old.dentry, new.dentry))
+	if (!is_path_reachable(old.mnt, old.dentry, &new))
 		goto out4;
 	br_write_lock(vfsmount_lock);
 	detach_mnt(new.mnt, &parent_path);
diff --git a/fs/pnode.c b/fs/pnode.c
index f1cd958b92e5..4d5a06ea57a2 100644
--- a/fs/pnode.c
+++ b/fs/pnode.c
@@ -28,21 +28,6 @@ static inline struct vfsmount *next_slave(struct vfsmount *p)
 	return list_entry(p->mnt_slave.next, struct vfsmount, mnt_slave);
 }
 
-/*
- * Return true if path is reachable from root
- *
- * namespace_sem is held, and mnt is attached
- */
-static bool is_path_reachable(struct vfsmount *mnt, struct dentry *dentry,
-			 const struct path *root)
-{
-	while (mnt != root->mnt && mnt_has_parent(mnt)) {
-		dentry = mnt->mnt_mountpoint;
-		mnt = mnt->mnt_parent;
-	}
-	return mnt == root->mnt && is_subdir(dentry, root->dentry);
-}
-
 static struct vfsmount *get_peer_under_root(struct vfsmount *mnt,
 					    struct mnt_namespace *ns,
 					    const struct path *root)
diff --git a/fs/pnode.h b/fs/pnode.h
index e4d24fad0b44..a602ec45537e 100644
--- a/fs/pnode.h
+++ b/fs/pnode.h
@@ -36,4 +36,6 @@ int propagate_umount(struct list_head *);
 int propagate_mount_busy(struct vfsmount *, int);
 void mnt_release_group_id(struct vfsmount *);
 int get_dominating_id(struct vfsmount *mnt, const struct path *root);
+bool is_path_reachable(struct vfsmount *, struct dentry *,
+			 const struct path *root);
 #endif /* _LINUX_PNODE_H */
-- 
2.1.4

More information about the kernel-team mailing list