Received: by 2002:a05:6a10:8a4d:0:0:0:0 with SMTP id dn13csp960729pxb; Fri, 13 Aug 2021 10:06:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxt/F/VAEOAbKEC3XwxKjmzmKj3x+edAo9OYZtxhQtEtlEmdSfOITaGFv/c8n74TMCWy1sF X-Received: by 2002:a5e:df0a:: with SMTP id f10mr2711902ioq.50.1628874371310; Fri, 13 Aug 2021 10:06:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628874371; cv=none; d=google.com; s=arc-20160816; b=LPzWM1kaZ1pYjTlrqKhztrJmEGdW6jAn5XePbbcT5cbFYV+yJCzf8vU6OxkOSRgvPb 7F4Alx0pJnyMhaOu8hKrerkgGNGE2V3N8ivtJ3ozgMKn81dL4Uu4WCYIJYun5GnPYH+U LhmZmwAWga58wyXko2lhBrXX/F3wmlY3xRKrwdDDuymvQI9OmthiKVyL6oGJS4arGicx 21Q2s+8m5eX5S6Q8rfvFIHjinwotgK5qMWYMiXoyLpPyIc3gLKlqtVWxJaRDa2QZNqbr qBBk4+3Q5yqBi7X7o3PCVSpJT/6XT6QpffLl7qlloh3fuIsY/Qtn/nt8NPbOMQR9zDHP HUoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=FtiqphKbdCShCQH0yZZvCibunD7a58QA4zhvDt0ko8c=; b=LfYbsH3CwJqN2FBEOOntRGtN7wYTcEqbYkB1ZP49rRGib3MX1FDzxvgMQoXn5bUjAM 50rd7gNZXpb+aXadY7a83DMQb06XTHA+6T+W5RL5PO/7JjI+BWy1UXYdNO/jsKPybjSd pvqiWprYP7pvK04u1YbFDtJCTY/jNO0BYtBf3oWe3WkKvP7S21xiJWfDBu2gps9TZEaS +V7PUbdr4YzpXOMULqz8SNDGUp2xearh+Pu7PXjcgZugQg2UDuc7mzH8Re1+xmtQmVRK +/GCGtwDANq+84sH7H/tsN8xxLGbC6evRT2tozIJ3fzHu9AufClH94FViCL93+NqJK+V 222Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mDq92Xfz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j28si1994411jar.42.2021.08.13.10.06.00; Fri, 13 Aug 2021 10:06:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mDq92Xfz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242842AbhHMPVv (ORCPT + 99 others); Fri, 13 Aug 2021 11:21:51 -0400 Received: from mail.kernel.org ([198.145.29.99]:56306 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242173AbhHMPQX (ORCPT ); Fri, 13 Aug 2021 11:16:23 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E07156113D; Fri, 13 Aug 2021 15:15:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1628867722; bh=1UJO02fPq10678BivAjFpFCN4XN3zlfkalL/7djvY4w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mDq92XfzCIkVXwDL80BAL/ZFlwVxXK2bnOXNIDlKFRgczi8WkEAs+eixwWiwJcYaB mpRQC37yY6pI4j9IUP8K/3iDOZPvKfafSJz4R8rdEEqFAqVs428sm8volZND9LRjav a+NaobLvluaAetk2nR7fNovhFY6SyW63e8HQm6Dw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alois Wohlschlager , Miklos Szeredi Subject: [PATCH 5.13 8/8] ovl: prevent private clone if bind mount is not allowed Date: Fri, 13 Aug 2021 17:07:45 +0200 Message-Id: <20210813150520.354569563@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210813150520.090373732@linuxfoundation.org> References: <20210813150520.090373732@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Miklos Szeredi commit 427215d85e8d1476da1a86b8d67aceb485eb3631 upstream. Add the following checks from __do_loopback() to clone_private_mount() as well: - verify that the mount is in the current namespace - verify that there are no locked children Reported-by: Alois Wohlschlager Fixes: c771d683a62e ("vfs: introduce clone_private_mount()") Cc: # v3.18 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman --- fs/namespace.c | 42 ++++++++++++++++++++++++++++-------------- 1 file changed, 28 insertions(+), 14 deletions(-) --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1938,6 +1938,20 @@ void drop_collected_mounts(struct vfsmou namespace_unlock(); } +static bool has_locked_children(struct mount *mnt, struct dentry *dentry) +{ + struct mount *child; + + list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { + if (!is_subdir(child->mnt_mountpoint, dentry)) + continue; + + if (child->mnt.mnt_flags & MNT_LOCKED) + return true; + } + return false; +} + /** * clone_private_mount - create a private clone of a path * @path: path to clone @@ -1953,10 +1967,19 @@ struct vfsmount *clone_private_mount(con struct mount *old_mnt = real_mount(path->mnt); struct mount *new_mnt; + down_read(&namespace_sem); if (IS_MNT_UNBINDABLE(old_mnt)) - return ERR_PTR(-EINVAL); + goto invalid; + + if (!check_mnt(old_mnt)) + goto invalid; + + if (has_locked_children(old_mnt, path->dentry)) + goto invalid; new_mnt = clone_mnt(old_mnt, path->dentry, CL_PRIVATE); + up_read(&namespace_sem); + if (IS_ERR(new_mnt)) return ERR_CAST(new_mnt); @@ -1964,6 +1987,10 @@ struct vfsmount *clone_private_mount(con new_mnt->mnt_ns = MNT_NS_INTERNAL; return &new_mnt->mnt; + +invalid: + up_read(&namespace_sem); + return ERR_PTR(-EINVAL); } EXPORT_SYMBOL_GPL(clone_private_mount); @@ -2315,19 +2342,6 @@ static int do_change_type(struct path *p return err; } -static bool has_locked_children(struct mount *mnt, struct dentry *dentry) -{ - struct mount *child; - list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { - if (!is_subdir(child->mnt_mountpoint, dentry)) - continue; - - if (child->mnt.mnt_flags & MNT_LOCKED) - return true; - } - return false; -} - static struct mount *__do_loopback(struct path *old_path, int recurse) { struct mount *mnt = ERR_PTR(-EINVAL), *old = real_mount(old_path->mnt);