[PATCH 4.4 34/47] userns: move user access out of the mutex

Rafael David Tinoco rafael.tinoco at linaro.org
Sun Sep 9 03:56:45 UTC 2018


Greg,

On Fri, Sep 7, 2018 at 6:41 PM Greg Kroah-Hartman
<gregkh at linuxfoundation.org> wrote:
>
> 4.4-stable review patch.  If anyone has any objections, please let me know.
>
> ------------------
>
> From: Jann Horn <jannh at google.com>
>
> commit 5820f140edef111a9ea2ef414ab2428b8cb805b1 upstream.
>
> The old code would hold the userns_state_mutex indefinitely if
> memdup_user_nul stalled due to e.g. a userfault region. Prevent that by
> moving the memdup_user_nul in front of the mutex_lock().
>
> Note: This changes the error precedence of invalid buf/count/*ppos vs
> map already written / capabilities missing.
>
> Fixes: 22d917d80e84 ("userns: Rework the user_namespace adding uid/gid...")
> Cc: stable at vger.kernel.org
> Signed-off-by: Jann Horn <jannh at google.com>
> Acked-by: Christian Brauner <christian at brauner.io>
> Acked-by: Serge Hallyn <serge at hallyn.com>
> Signed-off-by: Eric W. Biederman <ebiederm at xmission.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
>
> ---
>  kernel/user_namespace.c |   22 ++++++++++------------
>  1 file changed, 10 insertions(+), 12 deletions(-)
>
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -604,7 +604,16 @@ static ssize_t map_write(struct file *fi
>         struct uid_gid_extent *extent = NULL;
>         unsigned long page = 0;
>         char *kbuf, *pos, *next_line;
> -       ssize_t ret = -EINVAL;
> +       ssize_t ret;
> +
> +       /* Only allow < page size writes at the beginning of the file */
> +       if ((*ppos != 0) || (count >= PAGE_SIZE))
> +               return -EINVAL;
> +
> +       /* Slurp in the user data */
> +       if (copy_from_user(kbuf, buf, count))
> +               return -EFAULT;
> +       kbuf[count] = '\0';

Naresh will soon report issues found by LKFT on user_ns for 4.4 kernel
for this review round.

selftests: mount_run_tests.sh [FAIL]
write to /proc/self/uid_map failed: Bad address

LTP: user_namespace2 1 TBROK : safe_macros.c:452: userns02.c:95:
write(6,0x7ffc133113d0,18446744073709551615) failed: errno=EFAULT(14):
Bad address

I believe the EFAULT was caused because when changing code from
"memdup_user_nul" to "copy_from_user", for the older kernels, you
missed allocating the slab object for "kbuf", like memdup_user_nul()
does.

Note: This likely applies to 3.18 as well.

We are finishing functional tests without this patch, but we wanted to
make you aware right away.

Best Regards,
Rafael


More information about the Linux-stable-mirror mailing list