Re: [PATCH 4.4 34/47] userns: move user access out of the mutex

Sat, 08 Sep 2018 20:57:49 -0700 

Greg,

On Fri, Sep 7, 2018 at 6:41 PM Greg Kroah-Hartman
<gre...@linuxfoundation.org> wrote:
>
> 4.4-stable review patch.  If anyone has any objections, please let me know.
>
> ------------------
>
> From: Jann Horn <ja...@google.com>
>
> commit 5820f140edef111a9ea2ef414ab2428b8cb805b1 upstream.
>
> The old code would hold the userns_state_mutex indefinitely if
> memdup_user_nul stalled due to e.g. a userfault region. Prevent that by
> moving the memdup_user_nul in front of the mutex_lock().
>
> Note: This changes the error precedence of invalid buf/count/*ppos vs
> map already written / capabilities missing.
>
> Fixes: 22d917d80e84 ("userns: Rework the user_namespace adding uid/gid...")
> Cc: sta...@vger.kernel.org
> Signed-off-by: Jann Horn <ja...@google.com>
> Acked-by: Christian Brauner <christ...@brauner.io>
> Acked-by: Serge Hallyn <se...@hallyn.com>
> Signed-off-by: Eric W. Biederman <ebied...@xmission.com>
> Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
>
> ---
>  kernel/user_namespace.c |   22 ++++++++++------------
>  1 file changed, 10 insertions(+), 12 deletions(-)
>
> --- a/kernel/user_namespace.c
> +++ b/kernel/user_namespace.c
> @@ -604,7 +604,16 @@ static ssize_t map_write(struct file *fi
>         struct uid_gid_extent *extent = NULL;
>         unsigned long page = 0;
>         char *kbuf, *pos, *next_line;
> -       ssize_t ret = -EINVAL;
> +       ssize_t ret;
> +
> +       /* Only allow < page size writes at the beginning of the file */
> +       if ((*ppos != 0) || (count >= PAGE_SIZE))
> +               return -EINVAL;
> +
> +       /* Slurp in the user data */
> +       if (copy_from_user(kbuf, buf, count))
> +               return -EFAULT;
> +       kbuf[count] = '\0';

Naresh will soon report issues found by LKFT on user_ns for 4.4 kernel
for this review round.

selftests: mount_run_tests.sh [FAIL]
write to /proc/self/uid_map failed: Bad address

LTP: user_namespace2 1 TBROK : safe_macros.c:452: userns02.c:95:
write(6,0x7ffc133113d0,18446744073709551615) failed: errno=EFAULT(14):
Bad address

I believe the EFAULT was caused because when changing code from
"memdup_user_nul" to "copy_from_user", for the older kernels, you
missed allocating the slab object for "kbuf", like memdup_user_nul()
does.

Note: This likely applies to 3.18 as well.

We are finishing functional tests without this patch, but we wanted to
make you aware right away.

Best Regards,
Rafael

Reply via email to