[kernel/f20] CVE-2014-5045 vfs: refcount issues during lazy umount on symlink (rhbz 1122471 1122482)

Thu Jul 24 16:05:28 UTC 2014

commit 16aafab68cf028455110c5dd55484e28e3d638d5
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Thu Jul 24 12:02:58 2014 -0400

    CVE-2014-5045 vfs: refcount issues during lazy umount on symlink (rhbz 1122471 1122482)

 fs-umount-on-symlink-leaks-mnt-count.patch |   41 ++++++++++++++++++++++++++++
 kernel.spec                                |    7 +++++
 2 files changed, 48 insertions(+), 0 deletions(-)
---

diff --git a/fs-umount-on-symlink-leaks-mnt-count.patch b/fs-umount-on-symlink-leaks-mnt-count.patch
new file mode 100644
index 0000000..ed0e8a3
--- /dev/null
+++ b/fs-umount-on-symlink-leaks-mnt-count.patch
@@ -0,0 +1,41 @@
+Bugzilla: 1122482
+Upstream-status: Sent for 3.16 
+From: Vasily Averin <vvs at openvz.org>
+Subject: [PATCH v4] fs: umount on symlink leaks mnt count
+Currently umount on symlink blocks following umount:
+
+/vz is separate mount
+
+# ls /vz/ -al | grep test
+drwxr-xr-x.  2 root root       4096 Jul 19 01:14 testdir
+lrwxrwxrwx.  1 root root         11 Jul 19 01:16 testlink -> /vz/testdir
+# umount -l /vz/testlink
+umount: /vz/testlink: not mounted (expected)
+# lsof /vz
+# umount /vz
+umount: /vz: device is busy. (unexpected)
+
+In this case mountpoint_last() gets an extra refcount on path->mnt
+
+Signed-off-by: Vasily Averin <vvs at openvz.org>
+---
+ fs/namei.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+diff --git a/fs/namei.c b/fs/namei.c
+index 985c6f3..9eb787e 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -2256,9 +2256,10 @@ done:
+ 		goto out;
+ 	}
+ 	path->dentry = dentry;
+-	path->mnt = mntget(nd->path.mnt);
++	path->mnt = nd->path.mnt;
+ 	if (should_follow_link(dentry, nd->flags & LOOKUP_FOLLOW))
+ 		return 1;
++	mntget(path->mnt);
+ 	follow_mount(path);
+ 	error = 0;
+ out:
+-- 
+1.7.5.4
diff --git a/kernel.spec b/kernel.spec
index f9c1469..504e4d0 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -756,6 +756,9 @@ Patch25117: s390-ptrace-fix-PSW-mask-check.patch
 #rhbz 1117942
 Patch25118: sched-fix-sched_setparam-policy-1-logic.patch
 
+#CVE-2014-5045 rhbz 1122472 1122482
+Patch25119: fs-umount-on-symlink-leaks-mnt-count.patch
+
 
 # END OF PATCH DEFINITIONS
 
@@ -1472,6 +1475,9 @@ ApplyPatch s390-ptrace-fix-PSW-mask-check.patch
 #rhbz 1117942
 ApplyPatch sched-fix-sched_setparam-policy-1-logic.patch
 
+#CVE-2014-5045 rhbz 1122472 1122482
+ApplyPatch fs-umount-on-symlink-leaks-mnt-count.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2284,6 +2290,7 @@ fi
 #                 ||     ||
 %changelog
 * Thu Jul 24 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-5045 vfs: refcount issues during lazy umount on symlink (rhbz 1122471 1122482)
 - Fix regression in sched_setparam (rhbz 1117942)
 - CVE-2014-3534 s390: ptrace: insufficient sanitization with psw mask (rhbz 1114089 1122612)
 - Fix ath3k bluetooth regression (rhbz 1121785)
