From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:40696 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751393AbbJRABL (ORCPT ); Sat, 17 Oct 2015 20:01:11 -0400 Date: Sat, 17 Oct 2015 17:01:10 -0700 From: Greg Kroah-Hartman To: "Eric W. Biederman" Cc: stable@vger.kernel.org, Sasha Levin , Jiri Slaby , Willy Tarreau , Li Zefan , Ben Hutchings Subject: Re: [PATCHES] Bind mount escape fixes (CVE-2015-2925) Message-ID: <20151018000110.GA18971@kroah.com> References: <87a8s2a7kc.fsf@x220.int.ebiederm.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87a8s2a7kc.fsf@x220.int.ebiederm.org> Sender: stable-owner@vger.kernel.org List-ID: On Thu, Oct 01, 2015 at 11:15:47AM -0500, Eric W. Biederman wrote: > > With a strategically placed rename bind mounts can be tricked into > giving processes access to the entire filesystem instead of just a piece > of it. This misfeature has existed since bind mounts were introduced > into the kernel. This issue has been fixed in Linus's tree and below > are my tested backports of the fixes to 4.2.1, 4.1.8, 3.18.21, 3.14.53, > 3.12.48, 3.10.89, 3.4.109, 3.2.71, 2.6.32.68. All of the kernels > currently listed as being active. > > The fixes backported are: > cde93be45a8a90d8c264c776fab63487b5038a65 dcache: Handle escaped paths in prepend_path > 397d425dc26da728396e66d392d5dcb8dac30c37 vfs: Test for and handle paths that are unreachable from their mnt_root > > As I backported the patches the logical work remained the same but the > exact implemenation details changed to fit in with the vfs present in > the older kernels. Minor changes were needed for every the backport to > every kernel except 4.2.1. > > Please queue these changes for the appropriate stable trees. > Thanks for these, now applied to 4.2, 4.1, 3.14, and 3.10 stable trees. greg k-h > > Eric