3.10-stable patches

added patches:
	fs-add-a-missing-permission-check-to-do_umount.patch

diff --git a/queue-3.10/fs-add-a-missing-permission-check-to-do_umount.patch b/queue-3.10/fs-add-a-missing-permission-check-to-do_umount.patch
new file mode 100644 (file)
index 0000000..b597655
--- /dev/null
+++ b/queue-3.10/fs-add-a-missing-permission-check-to-do_umount.patch
@@ -0,0 +1,32 @@
+From a1480dcc3c706e309a88884723446f2e84fedd5b Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Wed, 8 Oct 2014 12:32:47 -0700
+Subject: fs: Add a missing permission check to do_umount
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit a1480dcc3c706e309a88884723446f2e84fedd5b upstream.
+
+Accessing do_remount_sb should require global CAP_SYS_ADMIN, but
+only one of the two call sites was appropriately protected.
+
+Fixes CVE-2014-7975.
+
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -1274,6 +1274,8 @@ static int do_umount(struct mount *mnt,
+                * Special case for "unmounting" root ...
+                * we just try to remount it readonly.
+                */
++              if (!capable(CAP_SYS_ADMIN))
++                      return -EPERM;
+               down_write(&sb->s_umount);
+               if (!(sb->s_flags & MS_RDONLY))
+                       retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);

diff --git a/queue-3.10/series b/queue-3.10/series
index e62c71d19e5ab1d056eb15b578ad17b85704fb7d..aa52a5322b8701807d4fccd887d301504c13de02 100644 (file)
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -1,3 +1,4 @@
 btrfs-try-not-to-enospc-on-log-replay.patch
 btrfs-fix-build_backref_tree-issue-with-multiple-shared-blocks.patch
 btrfs-fix-race-in-wait_sync-ioctl.patch
+fs-add-a-missing-permission-check-to-do_umount.patch