diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2015-01-15 17:49:26 +0000 |
---|---|---|
committer | Simon Shields <keepcalm444@gmail.com> | 2016-03-15 00:31:24 -0800 |
commit | 1ea0519741949d2d1030a42383665fa6353f047e (patch) | |
tree | 272ac765032779dd2eea9a03a2efef49268834ed /fs/namespace.c | |
parent | b9ff9ff44ca2b2b348a27081c8e0bb686dd094fa (diff) | |
download | kernel_samsung_smdk4412-1ea0519741949d2d1030a42383665fa6353f047e.zip kernel_samsung_smdk4412-1ea0519741949d2d1030a42383665fa6353f047e.tar.gz kernel_samsung_smdk4412-1ea0519741949d2d1030a42383665fa6353f047e.tar.bz2 |
vfs: more mnt_parent cleanups
a) mount --move is checking that ->mnt_parent is non-NULL before
looking if that parent happens to be shared; ->mnt_parent is never
NULL and it's not even an misspelled !mnt_has_parent()
b) pivot_root open-codes is_path_reachable(), poorly.
c) so does path_is_under(), while we are at it.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(backported from commit afac7cba7ed31968a95e181dc25e204e45009ea8)
CVE-2014-7970
BugLink: http://bugs.launchpad.net/bugs/1383356
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Change-Id: I6b2297f46388f135c1b760a37d45efc0e33542db
Diffstat (limited to 'fs/namespace.c')
-rw-r--r-- | fs/namespace.c | 42 |
1 files changed, 27 insertions, 15 deletions
diff --git a/fs/namespace.c b/fs/namespace.c index 3d86080..900812f 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1902,8 +1902,7 @@ static int do_move_mount(struct path *path, char *old_name) /* * Don't move a mount residing in a shared parent. */ - if (old_path.mnt->mnt_parent && - IS_MNT_SHARED(old_path.mnt->mnt_parent)) + if (IS_MNT_SHARED(old_path.mnt->mnt_parent)) goto out1; /* * Don't move a mount tree containing unbindable mounts to a destination @@ -2528,6 +2527,31 @@ out_type: } /* + * Return true if path is reachable from root + * + * namespace_sem or vfsmount_lock is held + */ +bool is_path_reachable(struct vfsmount *mnt, struct dentry *dentry, + const struct path *root) +{ + while (mnt != root->mnt && mnt_has_parent(mnt)) { + dentry = mnt->mnt_mountpoint; + mnt = mnt->mnt_parent; + } + return mnt == root->mnt && is_subdir(dentry, root->dentry); +} + +int path_is_under(struct path *path1, struct path *path2) +{ + int res; + br_read_lock(vfsmount_lock); + res = is_path_reachable(path1->mnt, path1->dentry, path2); + br_read_unlock(vfsmount_lock); + return res; +} +EXPORT_SYMBOL(path_is_under); + +/* * pivot_root Semantics: * Moves the root file system of the current process to the directory put_old, * makes new_root as the new root file system of the current process, and sets @@ -2555,7 +2579,6 @@ out_type: SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, const char __user *, put_old) { - struct vfsmount *tmp; struct path new, old, parent_path, root_parent, root; int error; @@ -2605,18 +2628,7 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, if (!mnt_has_parent(new.mnt)) goto out4; /* not attached */ /* make sure we can reach put_old from new_root */ - tmp = old.mnt; - if (tmp != new.mnt) { - for (;;) { - if (!mnt_has_parent(tmp)) - goto out4; /* already mounted on put_old */ - if (tmp->mnt_parent == new.mnt) - break; - tmp = tmp->mnt_parent; - } - if (!is_subdir(tmp->mnt_mountpoint, new.dentry)) - goto out4; - } else if (!is_subdir(old.dentry, new.dentry)) + if (!is_path_reachable(old.mnt, old.dentry, &new)) goto out4; /* make certain new is below the root */ if (!is_path_reachable(new.mnt, new.dentry, &root)) |