Re: [PATCHES] Bind mount escape fixes (CVE-2015-2925)

[Ben Hutchings]

On Thu, 2015-10-01 at 11:15 -0500, Eric W. Biederman wrote:
> With a strategically placed rename bind mounts can be tricked into
> giving processes access to the entire filesystem instead of just a piece
> of it.  This misfeature has existed since bind mounts were introduced
> into the kernel.  This issue has been fixed in Linus's tree and below
> are my tested backports of the fixes to 4.2.1, 4.1.8, 3.18.21, 3.14.53,
> 3.12.48, 3.10.89, 3.4.109, 3.2.71, 2.6.32.68.  All of the kernels 
> currently listed as being active.
> 
> The fixes backported are:
> cde93be45a8a90d8c264c776fab63487b5038a65 dcache: Handle escaped paths in 
> prepend_path
> 397d425dc26da728396e66d392d5dcb8dac30c37 vfs: Test for and handle paths that 
> are unreachable from their mnt_root
> 
> As I backported the patches the logical work remained the same but the
> exact implemenation details changed to fit in with the vfs present in
> the older kernels.  Minor changes were needed for every the backport to
> every kernel except 4.2.1.
> 
> Please queue these changes for the appropriate stable trees.

For 2.6.32, the first backport looks wrong:

> --- a/fs/dcache.c
> +++ b/fs/dcache.c
> @@ -1910,7 +1910,7 @@ char *__d_path(const struct path *path, struct path 
> *root,
>         struct dentry *dentry = path->dentry;
>         struct vfsmount *vfsmnt = path->mnt;
>         char *end = buffer + buflen;
> -       char *retval;
> +       char *retval, *tail;
>  
>         spin_lock(&vfsmount_lock);
>         prepend(&end, &buflen, "\0", 1);
> @@ -1923,6 +1923,7 @@ char *__d_path(const struct path *path, struct path 
> *root,
>         /* Get '/' right */
>         retval = end-1;
>         *retval = '/';
> +       tail = end;

So tail points to the null terminator.

>         for (;;) {
>                 struct dentry * parent;
> @@ -1930,6 +1931,12 @@ char *__d_path(const struct path *path, struct path 
> *root,
>                 if (dentry == root->dentry && vfsmnt == root->mnt)
>                         break;
>                 if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
> +                       /* Escaped? */
> +                       if (dentry != vfsmnt->mnt_root) {
> +                               retval = tail;
> +                               *retval = '/';

Now we overwrite the null terminator.

> +                               goto out;
> +                       }
>                         /* Global root? */
>                         if (vfsmnt->mnt_parent == vfsmnt) {
>                                 goto global_root;

Also, nothing inserts the "(unreachable)" string.  I've attached my
version, which deals with both of these.

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
From: "Eric W. Biederman" <ebied...@xmission.com>
Date: Sat, 15 Aug 2015 13:36:12 -0500
Subject: dcache: Handle escaped paths in prepend_path
Origin: https://git.kernel.org/linus/cde93be45a8a90d8c264c776fab63487b5038a65

A rename can result in a dentry that by walking up d_parent
will never reach it's mnt_root.  For lack of a better term
I call this an escaped path.

prepend_path is called by four different functions __d_path,
d_absolute_path, d_path, and getcwd.

__d_path only wants to see paths are connected to the root it passes
in.  So __d_path needs prepend_path to return an error.

d_absolute_path similarly wants to see paths that are connected to
some root.  Escaped paths are not connected to any mnt_root so
d_absolute_path needs prepend_path to return an error greater
than 1.  So escaped paths will be treated like paths on lazily
unmounted mounts.

getcwd needs to prepend "(unreachable)" so getcwd also needs
prepend_path to return an error.

d_path is the interesting hold out.  d_path just wants to print
something, and does not care about the weird cases.  Which raises
the question what should be printed?

Given that <escaped_path>/<anything> should result in -ENOENT I
believe it is desirable for escaped paths to be printed as empty
paths.  As there are not really any meaninful path components when
considered from the perspective of a mount tree.

So tweak prepend_path to return an empty path with an new error
code of 3 when it encounters an escaped path.

Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com>
Signed-off-by: Al Viro <v...@zeniv.linux.org.uk>
[bwh: For 2.6.32, implement the "(unreachable)" string in __d_path()]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
 fs/dcache.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/dcache.c b/fs/dcache.c
index 44c0aeafcbc9..e1accce92f68 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1910,7 +1910,7 @@ char *__d_path(const struct path *path, struct path *root,
 	struct dentry *dentry = path->dentry;
 	struct vfsmount *vfsmnt = path->mnt;
 	char *end = buffer + buflen;
-	char *retval;
+	char *retval, *tail;
 
 	spin_lock(&vfsmount_lock);
 	prepend(&end, &buflen, "\0", 1);
@@ -1923,6 +1923,7 @@ char *__d_path(const struct path *path, struct path *root,
 	/* Get '/' right */
 	retval = end-1;
 	*retval = '/';
+	tail = end;
 
 	for (;;) {
 		struct dentry * parent;
@@ -1930,6 +1931,14 @@ char *__d_path(const struct path *path, struct path *root,
 		if (dentry == root->dentry && vfsmnt == root->mnt)
 			break;
 		if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
+			/* Escaped? */
+			if (dentry != vfsmnt->mnt_root) {
+				buflen += (tail - end);
+				end = tail;
+				prepend(&end, &buflen, "(unreachable)/", 14);
+				retval = end;
+				goto out;
+			}
 			/* Global root? */
 			if (vfsmnt->mnt_parent == vfsmnt) {
 				goto global_root;

signature.asc
Description: This is a digitally signed message part