From: "Eric W. Biederman" <ebiederm@xmission.com>

Date: Wed, 8 Oct 2014 10:42:27 -0700

Subject: [PATCH] mnt: Prevent pivot_root from creating a loop in the mount

 tree

Andy Lutomirski recently demonstrated that when chroot is used to set

the root path below the path for the new ``root'' passed to pivot_root

the pivot_root system call succeeds and leaks mounts.

In examining the code I see that starting with a new root that is

below the current root in the mount tree will result in a loop in the

mount tree after the mounts are detached and then reattached to one

another.  Resulting in all kinds of ugliness including a leak of that

mounts involved in the leak of the mount loop.

Prevent this problem by ensuring that the new mount is reachable from

the current root of the mount tree.

Upstream-status: Submitted for 3.18

Bugzilla: 1151095,1151484

Reported-by: Andy Lutomirski <luto@amacapital.net>

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

---

 fs/namespace.c | 3 +++

 1 file changed, 3 insertions(+)

diff --git a/fs/namespace.c b/fs/namespace.c

index 7f67b463a5b4..550dbff08677 100644

--- a/fs/namespace.c

+++ b/fs/namespace.c

@@ -2822,6 +2822,9 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,

 	/* make sure we can reach put_old from new_root */

 	if (!is_path_reachable(old_mnt, old.dentry, &new))

 		goto out4;

+	/* make certain new is below the root */

+	if (!is_path_reachable(new_mnt, new.dentry, &root))

+		goto out4;

 	root_mp->m_count++; /* pin it so it won't go away */

 	lock_mount_hash();

 	detach_mnt(new_mnt, &parent_path);

-- 

1.9.3