From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-f172.google.com ([209.85.212.172]:34914 "EHLO mail-wi0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751875AbbJBJ0E (ORCPT ); Fri, 2 Oct 2015 05:26:04 -0400 Received: by wicge5 with SMTP id ge5so24535654wic.0 for ; Fri, 02 Oct 2015 02:26:03 -0700 (PDT) Subject: Re: [PATCHES] Bind mount escape fixes (CVE-2015-2925) To: "Eric W. Biederman" , stable@vger.kernel.org References: <87a8s2a7kc.fsf@x220.int.ebiederm.org> Cc: Greg Kroah-Hartman , Sasha Levin , Jiri Slaby , Willy Tarreau , Li Zefan , Ben Hutchings From: Jiri Slaby Message-ID: <560E4DA9.4010803@suse.cz> Date: Fri, 2 Oct 2015 11:26:01 +0200 MIME-Version: 1.0 In-Reply-To: <87a8s2a7kc.fsf@x220.int.ebiederm.org> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: stable-owner@vger.kernel.org List-ID: On 10/01/2015, 06:15 PM, Eric W. Biederman wrote: > > With a strategically placed rename bind mounts can be tricked into > giving processes access to the entire filesystem instead of just a piece > of it. This misfeature has existed since bind mounts were introduced > into the kernel. This issue has been fixed in Linus's tree and below > are my tested backports of the fixes to 4.2.1, 4.1.8, 3.18.21, 3.14.53, > 3.12.48, 3.10.89, 3.4.109, 3.2.71, 2.6.32.68. All of the kernels > currently listed as being active. > > The fixes backported are: > cde93be45a8a90d8c264c776fab63487b5038a65 dcache: Handle escaped paths in prepend_path > 397d425dc26da728396e66d392d5dcb8dac30c37 vfs: Test for and handle paths that are unreachable from their mnt_root > > As I backported the patches the logical work remained the same but the > exact implemenation details changed to fit in with the vfs present in > the older kernels. Minor changes were needed for every the backport to > every kernel except 4.2.1. > > Please queue these changes for the appropriate stable trees. Applied to 3.12. Thanks! -- js suse labs