Patch "mnt: Prevent pivot_root from creating a loop in the mount tree" (CVE-2014-7970) is missing in 3.2 stable tree

Patch "mnt: Prevent pivot_root from creating a loop in the mount tree" (CVE-2014-7970) is missing in 3.2 stable tree

[Thomas Deutschmann]

[-- Attachment #1.1: Type: text/plain, Size: 1782 bytes --]

Hi,

the following patch was backported to the following LTS kernels

- >=3.16.35
- >=3.12.33
- >=3.10.60
- >=3.4.106


however it is missing from LTS kernels

- linux-3.2


> From 0d0826019e529f21c84687521d03f60cd241ca7d Mon Sep 17 00:00:00 2001
> From: "Eric W. Biederman" <ebiederm@xmission.com>
> Date: Wed, 8 Oct 2014 10:42:27 -0700
> Subject: [PATCH] mnt: Prevent pivot_root from creating a loop in the mount
>  tree
> 
> Andy Lutomirski recently demonstrated that when chroot is used to set
> the root path below the path for the new ``root'' passed to pivot_root
> the pivot_root system call succeeds and leaks mounts.
> 
> In examining the code I see that starting with a new root that is
> below the current root in the mount tree will result in a loop in the
> mount tree after the mounts are detached and then reattached to one
> another.  Resulting in all kinds of ugliness including a leak of that
> mounts involved in the leak of the mount loop.
> 
> Prevent this problem by ensuring that the new mount is reachable from
> the current root of the mount tree.
> 
> [Added stable cc.  Fixes CVE-2014-7970.  --Andy]
> 
> Cc: stable@vger.kernel.org
> Reported-by: Andy Lutomirski <luto@amacapital.net>
> Reviewed-by: Andy Lutomirski <luto@amacapital.net>
> Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org
> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
> Signed-off-by: Andy Lutomirski <luto@amacapital.net>



https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0d0826019e529f21c84687521d03f60cd241ca7d


Ubuntu is carrying the patch with additional (required?) patches, see
https://launchpad.net/ubuntu/+source/linux/3.2.0-77.112


-- 
Regards,
Thomas




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 951 bytes --]

Re: Patch "mnt: Prevent pivot_root from creating a loop in the mount tree" (CVE-2014-7970) is missing in 3.2 stable tree

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 538 bytes --]

On Wed, 2016-11-23 at 03:04 +0100, Thomas Deutschmann wrote:
> Hi,
> 
> the following patch was backported to the following LTS kernels
> 
> - >=3.16.35
> - >=3.12.33
> - >=3.10.60
> - >=3.4.106
> 
> 
> however it is missing from LTS kernels
> 
> - linux-3.2
[...]

pivot_root() is only available with CAP_SYS_ADMIN, and 3.2 doesn't
support capabilities in user namespaces.  So I don't believe this has
any security impact.

Ben.

-- 
Ben Hutchings
compatible: Gracefully accepts erroneous data from any source


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Patch "mnt: Prevent pivot_root from creating a loop in the mount tree" (CVE-2014-7970) is missing in 3.2 stable tree

[Eric W. Biederman]

Ben Hutchings <ben@decadent.org.uk> writes:

> On Wed, 2016-11-23 at 03:04 +0100, Thomas Deutschmann wrote:
>> Hi,
>> 
>> the following patch was backported to the following LTS kernels
>> 
>> - >=3.16.35
>> - >=3.12.33
>> - >=3.10.60
>> - >=3.4.106
>> 
>> 
>> however it is missing from LTS kernels
>> 
>> - linux-3.2
> [...]
>
> pivot_root() is only available with CAP_SYS_ADMIN, and 3.2 doesn't
> support capabilities in user namespaces.  So I don't believe this has
> any security impact.

Agreed.  It will prevent root shooting themselves in the foot, in a way
that should never have been allowed.

There is no danger of an unprivileged user triggering this.

If the patch applies cleanly to 3.2 it won't hurt and may help.   But
for 3.2 it would be just an ordinary bug fix.

Eric