From: ebiederm@xmission.com (Eric W. Biederman)
To: Greg KH <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org, stable-commits@vger.kernel.org
Subject: Re: Patch "vfs: Ignore unlocked mounts in fs_fully_visible" has been added to the 3.14-stable tree
Date: Wed, 08 Jul 2015 09:35:08 -0500 [thread overview]
Message-ID: <877fqaafab.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20150708142130.GA10625@kroah.com> (Greg KH's message of "Wed, 8 Jul 2015 07:21:30 -0700")
Greg KH <gregkh@linuxfoundation.org> writes:
> On Wed, Jul 08, 2015 at 08:31:40AM -0500, Eric W. Biederman wrote:
>>
>> Are:
>>
>> mnt: Refactor the logic for mounting sysfs and proc in a user namespace 1b852bceb0d111e510d1a15826ecc4a19358d512
>> mnt: Modify fs_fully_visible to deal with locked ro nodev and atime 8c6cf9cc829fcd0b179b59f7fe288941d0e31108
>>
>> coming?
>>
>> Anyone being able to remove the read-only mount status of
>> proc and sysfs is scary bug. I think I have seen CVE flying
>
> I was going to wait for the next round of stable kernels for these
> fixes, I had to draw the line somewhere. I wasn't aware there was a CVE
> for this, if you think they should go in now, I'll go add them.
I don't know about when, all I was making certain about was that the
fixes don't get overlooked. Patches coming into stable out of the order
they were put into my tree caused me concern that patches were being
overlooked.
As for CVEs it is the nature of the bugs I have been fixing for the last
I don't know how long that someone will attach a CVE. *Sigh*
> But wasn't there more than just these two? I see a number of patches in
> my queue around this area that you were asking to be included in stable
> kernels.
There were two basic issues being fixed with clear security implications.
- Ensure new mounts of proc and sysfs have the same read-only attributes
- Making fs_fully_visible accurately ignore only filesystems mounted
on top of proc and sysfs on dedicated directories.
I was just asking about the two patches that constitute the fix for the
first issue they are compartively simple and the issue is comparatively
scary.
Eric
next prev parent reply other threads:[~2015-07-08 14:40 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-08 7:22 Patch "vfs: Ignore unlocked mounts in fs_fully_visible" has been added to the 3.14-stable tree gregkh
2015-07-08 13:31 ` Eric W. Biederman
2015-07-08 14:21 ` Greg KH
2015-07-08 14:35 ` Eric W. Biederman [this message]
2015-07-08 22:07 ` Greg KH
2015-07-09 6:12 ` Greg KH
2015-07-10 6:06 ` Eric W. Biederman
2015-12-12 2:40 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877fqaafab.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=gregkh@linuxfoundation.org \
--cc=stable-commits@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).