From 475e0aea71ea2fa1ea03c956a70bf9066f14d101 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 13 Oct 2014 14:48:25 -0400 Subject: [PATCH] CVE-2014-7975 fs: umount DoS (rhbz 1151108 1152025) --- ...issing-permission-check-to-do_umount.patch | 31 +++++++++++++++++++ kernel.spec | 9 ++++++ 2 files changed, 40 insertions(+) create mode 100644 fs-Add-a-missing-permission-check-to-do_umount.patch diff --git a/fs-Add-a-missing-permission-check-to-do_umount.patch b/fs-Add-a-missing-permission-check-to-do_umount.patch new file mode 100644 index 000000000..ce9de6641 --- /dev/null +++ b/fs-Add-a-missing-permission-check-to-do_umount.patch @@ -0,0 +1,31 @@ +From: Andy Lutomirski +Date: Wed, 8 Oct 2014 12:37:46 -0700 +Subject: [PATCH] fs: Add a missing permission check to do_umount + +Accessing do_remount_sb should require global CAP_SYS_ADMIN, but +only one of the two call sites was appropriately protected. + +Fixes CVE-2014-7975. + +Cc: stable@vger.kernel.org +Signed-off-by: Andy Lutomirski +--- + fs/namespace.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/namespace.c b/fs/namespace.c +index c8e3034ff4b2..fbba8b17330d 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1439,6 +1439,8 @@ static int do_umount(struct mount *mnt, int flags) + * Special case for "unmounting" root ... + * we just try to remount it readonly. + */ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; + down_write(&sb->s_umount); + if (!(sb->s_flags & MS_RDONLY)) + retval = do_remount_sb(sb, MS_RDONLY, NULL, 0); +-- +1.9.3 + diff --git a/kernel.spec b/kernel.spec index 5dfe91eb0..ff6d27576 100644 --- a/kernel.spec +++ b/kernel.spec @@ -637,6 +637,9 @@ Patch26039: HID-usbhid-always-poll-quirk-for-Elan-Touchscreen-00.patch Patch26040: USB-quirks-device-qualifier-quirk-for-another-Elan-t.patch Patch26041: HID-usbhid-always-poll-quirk-for-Elan-Touchscreen-01.patch +#CVE-2014-7975 rhbz 1151108 1152025 +Patch26042: fs-Add-a-missing-permission-check-to-do_umount.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1387,6 +1390,9 @@ ApplyPatch HID-usbhid-always-poll-quirk-for-Elan-Touchscreen-00.patch ApplyPatch USB-quirks-device-qualifier-quirk-for-another-Elan-t.patch ApplyPatch HID-usbhid-always-poll-quirk-for-Elan-Touchscreen-01.patch +#CVE-2014-7975 rhbz 1151108 1152025 +ApplyPatch fs-Add-a-missing-permission-check-to-do_umount.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2255,6 +2261,9 @@ fi # ||----w | # || || %changelog +* Mon Oct 13 2014 Josh Boyer +- CVE-2014-7975 fs: umount DoS (rhbz 1151108 1152025) + * Sun Oct 12 2014 Josh Boyer - Enable CONFIG_I2C_DESIGNWARE_PCI (rhbz 1045821)