On Sun, Sep 09, 2018 at 12:56:45AM -0300, Rafael David Tinoco wrote:
Greg,
On Fri, Sep 7, 2018 at 6:41 PM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
4.4-stable review patch. If anyone has any objections, please let me know.
From: Jann Horn jannh@google.com
commit 5820f140edef111a9ea2ef414ab2428b8cb805b1 upstream.
The old code would hold the userns_state_mutex indefinitely if memdup_user_nul stalled due to e.g. a userfault region. Prevent that by moving the memdup_user_nul in front of the mutex_lock().
Note: This changes the error precedence of invalid buf/count/*ppos vs map already written / capabilities missing.
Fixes: 22d917d80e84 ("userns: Rework the user_namespace adding uid/gid...") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn jannh@google.com Acked-by: Christian Brauner christian@brauner.io Acked-by: Serge Hallyn serge@hallyn.com Signed-off-by: Eric W. Biederman ebiederm@xmission.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
kernel/user_namespace.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-)
--- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -604,7 +604,16 @@ static ssize_t map_write(struct file *fi struct uid_gid_extent *extent = NULL; unsigned long page = 0; char *kbuf, *pos, *next_line;
ssize_t ret = -EINVAL;
ssize_t ret;/* Only allow < page size writes at the beginning of the file */if ((*ppos != 0) || (count >= PAGE_SIZE))return -EINVAL;/* Slurp in the user data */if (copy_from_user(kbuf, buf, count))return -EFAULT;kbuf[count] = '\0';Naresh will soon report issues found by LKFT on user_ns for 4.4 kernel for this review round.
selftests: mount_run_tests.sh [FAIL] write to /proc/self/uid_map failed: Bad address
LTP: user_namespace2 1 TBROK : safe_macros.c:452: userns02.c:95: write(6,0x7ffc133113d0,18446744073709551615) failed: errno=EFAULT(14): Bad address
I believe the EFAULT was caused because when changing code from "memdup_user_nul" to "copy_from_user", for the older kernels, you missed allocating the slab object for "kbuf", like memdup_user_nul() does.
Note: This likely applies to 3.18 as well.
We are finishing functional tests without this patch, but we wanted to make you aware right away.
Nice catch. Ugh, that's all my fault for when I backported this. Let me go work on that now...
greg k-h