From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from wtarreau.pck.nerim.net ([62.212.114.60]:41414 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751409AbbJCGMj (ORCPT ); Sat, 3 Oct 2015 02:12:39 -0400 Date: Sat, 3 Oct 2015 08:12:13 +0200 From: Willy Tarreau To: Ben Hutchings Cc: "Eric W. Biederman" , stable@vger.kernel.org, Greg Kroah-Hartman , Sasha Levin , Jiri Slaby , Willy Tarreau , Li Zefan Subject: Re: [PATCHES] Bind mount escape fixes (CVE-2015-2925) Message-ID: <20151003061213.GE31716@1wt.eu> References: <87a8s2a7kc.fsf@x220.int.ebiederm.org> <1443753950.2730.164.camel@decadent.org.uk> <87k2r6ueyd.fsf@x220.int.ebiederm.org> <87vbaptg2s.fsf@x220.int.ebiederm.org> <1443836883.2730.223.camel@decadent.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1443836883.2730.223.camel@decadent.org.uk> Sender: stable-owner@vger.kernel.org List-ID: On Sat, Oct 03, 2015 at 02:48:03AM +0100, Ben Hutchings wrote: > On Fri, 2015-10-02 at 11:01 -0500, Eric W. Biederman wrote: > [...] > > Having thought about this I definitely think we need this on older > > kernels. I am aware of at least one piece of software that predates > > 2.6.32 is vulnerable to this escape. > > > > The software in all innocence bind mounted a users /home directory into > > a root filesystem that was stored in the users /home directory. That > > is enough to allow the escape with a simple unprivileged rename. > > > > So since this is actually exploitable on real userspace software that > > predates 2.6.32 I think this fix needs to be backported, as it is not > > a theoretical issue. > > Thanks for the explanation. I'll review and test the patches for > 2.6.32 and 3.2 in a while. Thanks as well. Willy