Re: [PATCHES] Bind mount escape fixes (CVE-2015-2925)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Willy Tarreau <w@1wt.eu>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
	stable@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Sasha Levin <sasha.levin@oracle.com>,
	Jiri Slaby <jirislaby@gmail.com>,
	Willy Tarreau <willy@meta-x.org>, Li Zefan <lizefan@huawei.com>
Subject: Re: [PATCHES] Bind mount escape fixes (CVE-2015-2925)
Date: Sat, 3 Oct 2015 08:12:13 +0200	[thread overview]
Message-ID: <20151003061213.GE31716@1wt.eu> (raw)
In-Reply-To: <1443836883.2730.223.camel@decadent.org.uk>

On Sat, Oct 03, 2015 at 02:48:03AM +0100, Ben Hutchings wrote:
> On Fri, 2015-10-02 at 11:01 -0500, Eric W. Biederman wrote:
> [...]
> > Having thought about this I definitely think we need this on older
> > kernels.  I am aware of at least one piece of software that predates
> > 2.6.32 is vulnerable to this escape.
> > 
> > The software in all innocence bind mounted a users /home directory into
> > a root filesystem that was stored in the users /home directory.  That
> > is enough to allow the escape with a simple unprivileged rename.
> >
> > So since this is actually exploitable on real userspace software that
> > predates 2.6.32 I think this fix needs to be backported, as it is not
> > a theoretical issue.
> 
> Thanks for the explanation.  I'll review and test the patches for
> 2.6.32 and 3.2 in a while.

Thanks as well.

Willy

next prev parent reply	other threads:[~2015-10-03  6:12 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-01 16:15 [PATCHES] Bind mount escape fixes (CVE-2015-2925) Eric W. Biederman
2015-10-01 23:08 ` Willy Tarreau
2015-10-02  2:45 ` Ben Hutchings
2015-10-02  3:28   ` Eric W. Biederman
2015-10-02 16:01     ` Eric W. Biederman
2015-10-03  1:48       ` Ben Hutchings
2015-10-03  6:12         ` Willy Tarreau [this message]
2015-10-02  9:26 ` Jiri Slaby
2015-10-05 10:34 ` Luis Henriques
2015-10-08  1:08 ` Ben Hutchings
2015-10-08  5:11   ` Willy Tarreau
2015-10-18  0:01 ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151003061213.GE31716@1wt.eu \
    --to=w@1wt.eu \
    --cc=ben@decadent.org.uk \
    --cc=ebiederm@xmission.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jirislaby@gmail.com \
    --cc=lizefan@huawei.com \
    --cc=sasha.levin@oracle.com \
    --cc=stable@vger.kernel.org \
    --cc=willy@meta-x.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.