ovl: prevent private clone if bind mount is not allowed
commit 427215d85e8d1476da1a86b8d67aceb485eb3631 upstream.
Add the following checks from __do_loopback() to clone_private_mount() as
well:
- verify that the mount is in the current namespace
- verify that there are no locked children
Reported-by: Alois Wohlschlager <alois1@gmx-topmail.de>
Fixes: c771d683a6 ("vfs: introduce clone_private_mount()")
Cc: <stable@vger.kernel.org> # v3.18
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Miklos Szeredi
committed by
Greg Kroah-Hartman
Greg Kroah-Hartman
parent
bffead8d36
commit
6a002d48a6
@@ -1919,6 +1919,20 @@ void drop_collected_mounts(struct vfsmount *mnt)
|
|||||||
namespace_unlock();
|
namespace_unlock();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool has_locked_children(struct mount *mnt, struct dentry *dentry)
|
||||||
|
{
|
||||||
|
struct mount *child;
|
||||||
|
|
||||||
|
list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) {
|
||||||
|
if (!is_subdir(child->mnt_mountpoint, dentry))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (child->mnt.mnt_flags & MNT_LOCKED)
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* clone_private_mount - create a private clone of a path
|
* clone_private_mount - create a private clone of a path
|
||||||
*
|
*
|
||||||
@@ -1933,10 +1947,19 @@ struct vfsmount *clone_private_mount(const struct path *path)
|
|||||||
struct mount *old_mnt = real_mount(path->mnt);
|
struct mount *old_mnt = real_mount(path->mnt);
|
||||||
struct mount *new_mnt;
|
struct mount *new_mnt;
|
||||||
|
|
||||||
|
down_read(&namespace_sem);
|
||||||
if (IS_MNT_UNBINDABLE(old_mnt))
|
if (IS_MNT_UNBINDABLE(old_mnt))
|
||||||
return ERR_PTR(-EINVAL);
|
goto invalid;
|
||||||
|
|
||||||
|
if (!check_mnt(old_mnt))
|
||||||
|
goto invalid;
|
||||||
|
|
||||||
|
if (has_locked_children(old_mnt, path->dentry))
|
||||||
|
goto invalid;
|
||||||
|
|
||||||
new_mnt = clone_mnt(old_mnt, path->dentry, CL_PRIVATE);
|
new_mnt = clone_mnt(old_mnt, path->dentry, CL_PRIVATE);
|
||||||
|
up_read(&namespace_sem);
|
||||||
|
|
||||||
if (IS_ERR(new_mnt))
|
if (IS_ERR(new_mnt))
|
||||||
return ERR_CAST(new_mnt);
|
return ERR_CAST(new_mnt);
|
||||||
|
|
||||||
@@ -1944,6 +1967,10 @@ struct vfsmount *clone_private_mount(const struct path *path)
|
|||||||
new_mnt->mnt_ns = MNT_NS_INTERNAL;
|
new_mnt->mnt_ns = MNT_NS_INTERNAL;
|
||||||
|
|
||||||
return &new_mnt->mnt;
|
return &new_mnt->mnt;
|
||||||
|
|
||||||
|
invalid:
|
||||||
|
up_read(&namespace_sem);
|
||||||
|
return ERR_PTR(-EINVAL);
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(clone_private_mount);
|
EXPORT_SYMBOL_GPL(clone_private_mount);
|
||||||
|
|
||||||
@@ -2295,19 +2322,6 @@ static int do_change_type(struct path *path, int ms_flags)
|
|||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool has_locked_children(struct mount *mnt, struct dentry *dentry)
|
|
||||||
{
|
|
||||||
struct mount *child;
|
|
||||||
list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) {
|
|
||||||
if (!is_subdir(child->mnt_mountpoint, dentry))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
if (child->mnt.mnt_flags & MNT_LOCKED)
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
static struct mount *__do_loopback(struct path *old_path, int recurse)
|
static struct mount *__do_loopback(struct path *old_path, int recurse)
|
||||||
{
|
{
|
||||||
struct mount *mnt = ERR_PTR(-EINVAL), *old = real_mount(old_path->mnt);
|
struct mount *mnt = ERR_PTR(-EINVAL), *old = real_mount(old_path->mnt);
|
||||||
|
|||||||
Reference in New Issue
Block a user