diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2015-01-15 17:49:26 +0000 |
|---|---|---|
| committer | Ziyan <jaraidaniel@gmail.com> | 2016-10-29 01:34:21 +0200 |
| commit | 3900c2b6dcee9198e4e03abfecdedd1c30f68c0f (patch) | |
| tree | c682e45c124c895f14ab9123092753603c0102b7 /fs | |
| parent | d478a9dac767ad4e3c2e2dd3d141c6165387a117 (diff) | |
| download | kernel_samsung_tuna-3900c2b6dcee9198e4e03abfecdedd1c30f68c0f.zip kernel_samsung_tuna-3900c2b6dcee9198e4e03abfecdedd1c30f68c0f.tar.gz kernel_samsung_tuna-3900c2b6dcee9198e4e03abfecdedd1c30f68c0f.tar.bz2 | |
vfs: more mnt_parent cleanups
a) mount --move is checking that ->mnt_parent is non-NULL before
looking if that parent happens to be shared; ->mnt_parent is never
NULL and it's not even an misspelled !mnt_has_parent()
b) pivot_root open-codes is_path_reachable(), poorly.
c) so does path_is_under(), while we are at it.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
(backported from commit afac7cba7ed31968a95e181dc25e204e45009ea8)
CVE-2014-7970
BugLink: http://bugs.launchpad.net/bugs/1383356
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Change-Id: I6b2297f46388f135c1b760a37d45efc0e33542db
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/dcache.c | 25 | ||||
| -rw-r--r-- | fs/namespace.c | 42 | ||||
| -rw-r--r-- | fs/pnode.c | 15 | ||||
| -rw-r--r-- | fs/pnode.h | 2 |
4 files changed, 29 insertions, 55 deletions
diff --git a/fs/dcache.c b/fs/dcache.c index 57e163b..deb6f6a 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2919,31 +2919,6 @@ int is_subdir(struct dentry *new_dentry, struct dentry *old_dentry) return result; } -int path_is_under(struct path *path1, struct path *path2) -{ - struct vfsmount *mnt = path1->mnt; - struct dentry *dentry = path1->dentry; - int res; - - br_read_lock(&vfsmount_lock); - if (mnt != path2->mnt) { - for (;;) { - if (!mnt_has_parent(mnt)) { - br_read_unlock(&vfsmount_lock); - return 0; - } - if (mnt->mnt_parent == path2->mnt) - break; - mnt = mnt->mnt_parent; - } - dentry = mnt->mnt_mountpoint; - } - res = is_subdir(dentry, path2->dentry); - br_read_unlock(&vfsmount_lock); - return res; -} -EXPORT_SYMBOL(path_is_under); - void d_genocide(struct dentry *root) { struct dentry *this_parent; diff --git a/fs/namespace.c b/fs/namespace.c index 489a74d..47247ee 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1943,8 +1943,7 @@ static int do_move_mount(struct path *path, const char *old_name) /* * Don't move a mount residing in a shared parent. */ - if (old_path.mnt->mnt_parent && - IS_MNT_SHARED(old_path.mnt->mnt_parent)) + if (IS_MNT_SHARED(old_path.mnt->mnt_parent)) goto out1; /* * Don't move a mount tree containing unbindable mounts to a destination @@ -2588,6 +2587,31 @@ out_type: } /* + * Return true if path is reachable from root + * + * namespace_sem or vfsmount_lock is held + */ +bool is_path_reachable(struct vfsmount *mnt, struct dentry *dentry, + const struct path *root) +{ + while (mnt != root->mnt && mnt_has_parent(mnt)) { + dentry = mnt->mnt_mountpoint; + mnt = mnt->mnt_parent; + } + return mnt == root->mnt && is_subdir(dentry, root->dentry); +} + +int path_is_under(struct path *path1, struct path *path2) +{ + int res; + br_read_lock(&vfsmount_lock); + res = is_path_reachable(path1->mnt, path1->dentry, path2); + br_read_unlock(&vfsmount_lock); + return res; +} +EXPORT_SYMBOL(path_is_under); + +/* * pivot_root Semantics: * Moves the root file system of the current process to the directory put_old, * makes new_root as the new root file system of the current process, and sets @@ -2615,7 +2639,6 @@ out_type: SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, const char __user *, put_old) { - struct vfsmount *tmp; struct path new, old, parent_path, root_parent, root; int error; @@ -2665,18 +2688,7 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root, if (!mnt_has_parent(new.mnt)) goto out4; /* not attached */ /* make sure we can reach put_old from new_root */ - tmp = old.mnt; - if (tmp != new.mnt) { - for (;;) { - if (!mnt_has_parent(tmp)) - goto out4; /* already mounted on put_old */ - if (tmp->mnt_parent == new.mnt) - break; - tmp = tmp->mnt_parent; - } - if (!is_subdir(tmp->mnt_mountpoint, new.dentry)) - goto out4; - } else if (!is_subdir(old.dentry, new.dentry)) + if (!is_path_reachable(old.mnt, old.dentry, &new)) goto out4; /* make certain new is below the root */ if (!is_path_reachable(new.mnt, new.dentry, &root)) @@ -28,21 +28,6 @@ static inline struct vfsmount *next_slave(struct vfsmount *p) return list_entry(p->mnt_slave.next, struct vfsmount, mnt_slave); } -/* - * Return true if path is reachable from root - * - * namespace_sem is held, and mnt is attached - */ -static bool is_path_reachable(struct vfsmount *mnt, struct dentry *dentry, - const struct path *root) -{ - while (mnt != root->mnt && mnt_has_parent(mnt)) { - dentry = mnt->mnt_mountpoint; - mnt = mnt->mnt_parent; - } - return mnt == root->mnt && is_subdir(dentry, root->dentry); -} - static struct vfsmount *get_peer_under_root(struct vfsmount *mnt, struct mnt_namespace *ns, const struct path *root) @@ -37,4 +37,6 @@ int propagate_umount(struct list_head *); int propagate_mount_busy(struct vfsmount *, int); void mnt_release_group_id(struct vfsmount *); int get_dominating_id(struct vfsmount *mnt, const struct path *root); +bool is_path_reachable(struct vfsmount *, struct dentry *, + const struct path *root); #endif /* _LINUX_PNODE_H */ |