Summary: | <=linux-3.17: umount denial of service | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Kernel Security <security-kernel> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | kernel |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/10/08/22 | ||
Whiteboard: | A3 [stable blocked] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 522930 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-10-09 15:39:14 UTC
CVE-2014-7975 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7975): The do_umount function in fs/namespace.c in the Linux kernel through 3.17 does not require the CAP_SYS_ADMIN capability for do_remount_sb calls that change the root filesystem to read-only, which allows local users to cause a denial of service (loss of writability) by making certain unshare system calls, clearing the / MNT_LOCKED flag, and making an MNT_FORCE umount system call. unless i'm missing something, this is a problem w/the kernel's mount logic. there's nothing util-linux can do here. the test code uses just syscalls, not `mount`. (In reply to SpanKY from comment #2) > unless i'm missing something, this is a problem w/the kernel's mount logic. > there's nothing util-linux can do here. the test code uses just syscalls, > not `mount`. Agreed, you are not missing something. For reference: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/fs/namespace.c?id=ce9d7f7b45930ed16c512aabcfe651d44f1c8619 This patch released in 3.17.1-r1 commit 95d1112750ebfe84eba65df5f8d443a7bbee8ce0 Author: Mike Pagano <mpagano@gentoo.org> Date: Fri Oct 17 07:43:19 2014 -0400 Prevent a leak of unreachable mounts. See bug #524848 Security team can resolve as they see fit to their policies. This was patched in - >=3.16.35 - >=3.12.33 - >=3.10.60 - >=3.4.106 Waiting for stable sys-kernel/gentoo-sources-3.4er ebuild... Unable to check for sanity:
> no match for package: =sys-kernel/gentoo-sources-3.4.113
Resetting sanity check; package list is empty. |