Tree - rpms/kernel - src.fedoraproject.org

Blob History Raw

		1e081da	`From: Andy Lutomirski <luto@amacapital.net>`
		1e081da	`Date: Wed, 8 Oct 2014 12:37:46 -0700`
		1e081da	`Subject: [PATCH] fs: Add a missing permission check to do_umount`
		1e081da
		1e081da	`Accessing do_remount_sb should require global CAP_SYS_ADMIN, but`
		1e081da	`only one of the two call sites was appropriately protected.`
		1e081da
		1e081da	`Fixes CVE-2014-7975.`
		1e081da
		1e081da	`Cc: stable@vger.kernel.org`
		1e081da	`Signed-off-by: Andy Lutomirski <luto@amacapital.net>`
		1e081da	`---`
		1e081da	`fs/namespace.c \| 2 ++`
		1e081da	`1 file changed, 2 insertions(+)`
		1e081da
		1e081da	`diff --git a/fs/namespace.c b/fs/namespace.c`
		1e081da	`index c8e3034ff4b2..fbba8b17330d 100644`
		1e081da	`--- a/fs/namespace.c`
		1e081da	`+++ b/fs/namespace.c`
		1e081da	`@@ -1439,6 +1439,8 @@ static int do_umount(struct mount *mnt, int flags)`
		1e081da	`* Special case for "unmounting" root ...`
		1e081da	`* we just try to remount it readonly.`
		1e081da	`*/`
		1e081da	`+ if (!capable(CAP_SYS_ADMIN))`
		1e081da	`+ return -EPERM;`
		1e081da	`down_write(&sb->s_umount);`
		1e081da	`if (!(sb->s_flags & MS_RDONLY))`
		1e081da	`retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);`
		1e081da	`--`
		1e081da	`1.9.3`
		1e081da