| Summary: | <=linux-3.17: umount denial of service | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Kernel Security <security-kernel> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | kernel |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2014/10/08/22 | ||
| Whiteboard: | A3 [stable blocked] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 522930 | ||
| Bug Blocks: | |||
CVE-2014-7975 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7975): The do_umount function in fs/namespace.c in the Linux kernel through 3.17 does not require the CAP_SYS_ADMIN capability for do_remount_sb calls that change the root filesystem to read-only, which allows local users to cause a denial of service (loss of writability) by making certain unshare system calls, clearing the / MNT_LOCKED flag, and making an MNT_FORCE umount system call. unless i'm missing something, this is a problem w/the kernel's mount logic. there's nothing util-linux can do here. the test code uses just syscalls, not `mount`. (In reply to SpanKY from comment #2) > unless i'm missing something, this is a problem w/the kernel's mount logic. > there's nothing util-linux can do here. the test code uses just syscalls, > not `mount`. Agreed, you are not missing something. For reference: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/fs/namespace.c?id=ce9d7f7b45930ed16c512aabcfe651d44f1c8619 This patch released in 3.17.1-r1 commit 95d1112750ebfe84eba65df5f8d443a7bbee8ce0 Author: Mike Pagano <mpagano@gentoo.org> Date: Fri Oct 17 07:43:19 2014 -0400 Prevent a leak of unreachable mounts. See bug #524848 Security team can resolve as they see fit to their policies. This was patched in - >=3.16.35 - >=3.12.33 - >=3.10.60 - >=3.4.106 Waiting for stable sys-kernel/gentoo-sources-3.4er ebuild... Unable to check for sanity:
> no match for package: =sys-kernel/gentoo-sources-3.4.113
Resetting sanity check; package list is empty. |
From ${URL} : I just screwed up and typoed my git send-email command, so there's now a publicly available exploit for a new umount bug. Fortunately this one isn't terribly serious, but it might be usable for more than just DoS if some daemon reacts poorly to being unable to write to the filesystem. http://thread.gmane.org/gmane.linux.kernel.stable/109312 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.