Skip to content

Commit

Permalink
Merge branch 'userns-linus' of git://git.kernel.org/pub/scm/linux/ker…
Browse files Browse the repository at this point in the history 
…nel/git/ebiederm/user-namespace

Pull namespace fixes from Eric Biederman:
 "This is a set of four fairly obvious bug fixes:

   - a switch from d_find_alias to d_find_any_alias because the xattr
     code perversely takes a dentry

   - two mutex vs copy_to_user fixes from Jann Horn

   - a fix to use a sanitized size not the size userspace passed in from
     Christian Brauner"

* 'userns-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
  getxattr: use correct xattr length
  sys: don't hold uts_sem while accessing userspace memory
  userns: move user access out of the mutex
  cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias()
  • Loading branch information
@torvalds
torvalds committed Aug 24, 2018
2 parents 5e8704a + 82c9a92 commit 4def196
Show file tree
Hide file tree
Showing 8 changed files with 131 additions and 126 deletions.
51 changes: 24 additions & 27 deletions arch/alpha/kernel/osf_sys.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -530,24 +530,19 @@ SYSCALL_DEFINE4(osf_mount, unsigned long, typenr, const char __user *, path,
SYSCALL_DEFINE1(osf_utsname, char __user *, name)
{
int error;
char tmp[5 * 32];

down_read(&uts_sem);
error = -EFAULT;
if (copy_to_user(name + 0, utsname()->sysname, 32))
goto out;
if (copy_to_user(name + 32, utsname()->nodename, 32))
goto out;
if (copy_to_user(name + 64, utsname()->release, 32))
goto out;
if (copy_to_user(name + 96, utsname()->version, 32))
goto out;
if (copy_to_user(name + 128, utsname()->machine, 32))
goto out;
memcpy(tmp + 0 * 32, utsname()->sysname, 32);
memcpy(tmp + 1 * 32, utsname()->nodename, 32);
memcpy(tmp + 2 * 32, utsname()->release, 32);
memcpy(tmp + 3 * 32, utsname()->version, 32);
memcpy(tmp + 4 * 32, utsname()->machine, 32);
up_read(&uts_sem);

error = 0;
out:
up_read(&uts_sem);
return error;
if (copy_to_user(name, tmp, sizeof(tmp)))
return -EFAULT;
return 0;
}

SYSCALL_DEFINE0(getpagesize)
Expand All @@ -567,18 +562,21 @@ SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen)
{
int len, err = 0;
char *kname;
char tmp[32];

if (namelen > 32)
if (namelen < 0 || namelen > 32)
namelen = 32;

down_read(&uts_sem);
kname = utsname()->domainname;
len = strnlen(kname, namelen);
if (copy_to_user(name, kname, min(len + 1, namelen)))
err = -EFAULT;
len = min(len + 1, namelen);
memcpy(tmp, kname, len);
up_read(&uts_sem);

return err;
if (copy_to_user(name, tmp, len))
return -EFAULT;
return 0;
}

/*
Expand Down Expand Up @@ -739,27 +737,26 @@ SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)
};
unsigned long offset;
const char *res;
long len, err = -EINVAL;
long len;
char tmp[__NEW_UTS_LEN + 1];

offset = command-1;
if (offset >= ARRAY_SIZE(sysinfo_table)) {
/* Digital UNIX has a few unpublished interfaces here */
printk("sysinfo(%d)", command);
goto out;
return -EINVAL;
}

down_read(&uts_sem);
res = sysinfo_table[offset];
len = strlen(res)+1;
if ((unsigned long)len > (unsigned long)count)
len = count;
if (copy_to_user(buf, res, len))
err = -EFAULT;
else
err = 0;
memcpy(tmp, res, len);
up_read(&uts_sem);
out:
return err;
if (copy_to_user(buf, tmp, len))
return -EFAULT;
return 0;
}

SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,
Expand Down
22 changes: 13 additions & 9 deletions arch/sparc/kernel/sys_sparc_32.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,23 +197,27 @@ SYSCALL_DEFINE5(rt_sigaction, int, sig,

SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len)
{
int nlen, err;

int nlen, err;
char tmp[__NEW_UTS_LEN + 1];

if (len < 0)
return -EINVAL;

down_read(&uts_sem);
down_read(&uts_sem);

nlen = strlen(utsname()->domainname) + 1;
err = -EINVAL;
if (nlen > len)
goto out;
goto out_unlock;
memcpy(tmp, utsname()->domainname, nlen);

err = -EFAULT;
if (!copy_to_user(name, utsname()->domainname, nlen))
err = 0;
up_read(&uts_sem);

out:
if (copy_to_user(name, tmp, nlen))
return -EFAULT;
return 0;

out_unlock:
up_read(&uts_sem);
return err;
}
20 changes: 12 additions & 8 deletions arch/sparc/kernel/sys_sparc_64.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -519,23 +519,27 @@ asmlinkage void sparc_breakpoint(struct pt_regs *regs)

SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len)
{
int nlen, err;
int nlen, err;
char tmp[__NEW_UTS_LEN + 1];

if (len < 0)
return -EINVAL;

down_read(&uts_sem);
down_read(&uts_sem);

nlen = strlen(utsname()->domainname) + 1;
err = -EINVAL;
if (nlen > len)
goto out;
goto out_unlock;
memcpy(tmp, utsname()->domainname, nlen);

up_read(&uts_sem);

err = -EFAULT;
if (!copy_to_user(name, utsname()->domainname, nlen))
err = 0;
if (copy_to_user(name, tmp, nlen))
return -EFAULT;
return 0;

out:
out_unlock:
up_read(&uts_sem);
return err;
}
Expand Down
2 changes: 1 addition & 1 deletion fs/xattr.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -538,7 +538,7 @@ getxattr(struct dentry *d, const char __user *name, void __user *value,
if (error > 0) {
if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
(strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
posix_acl_fix_xattr_to_user(kvalue, size);
posix_acl_fix_xattr_to_user(kvalue, error);
if (size && copy_to_user(value, kvalue, error))
error = -EFAULT;
} else if (error == -ERANGE && size >= XATTR_SIZE_MAX) {
Expand Down
95 changes: 45 additions & 50 deletions kernel/sys.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1237,18 +1237,19 @@ static int override_release(char __user *release, size_t len)

SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)
{
int errno = 0;
struct new_utsname tmp;

down_read(&uts_sem);
if (copy_to_user(name, utsname(), sizeof *name))
errno = -EFAULT;
memcpy(&tmp, utsname(), sizeof(tmp));
up_read(&uts_sem);
if (copy_to_user(name, &tmp, sizeof(tmp)))
return -EFAULT;

if (!errno && override_release(name->release, sizeof(name->release)))
errno = -EFAULT;
if (!errno && override_architecture(name))
errno = -EFAULT;
return errno;
if (override_release(name->release, sizeof(name->release)))
return -EFAULT;
if (override_architecture(name))
return -EFAULT;
return 0;
}

#ifdef __ARCH_WANT_SYS_OLD_UNAME
Expand All @@ -1257,55 +1258,46 @@ SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)
*/
SYSCALL_DEFINE1(uname, struct old_utsname __user *, name)
{
int error = 0;
struct old_utsname tmp;

if (!name)
return -EFAULT;

down_read(&uts_sem);
if (copy_to_user(name, utsname(), sizeof(*name)))
error = -EFAULT;
memcpy(&tmp, utsname(), sizeof(tmp));
up_read(&uts_sem);
if (copy_to_user(name, &tmp, sizeof(tmp)))
return -EFAULT;

if (!error && override_release(name->release, sizeof(name->release)))
error = -EFAULT;
if (!error && override_architecture(name))
error = -EFAULT;
return error;
if (override_release(name->release, sizeof(name->release)))
return -EFAULT;
if (override_architecture(name))
return -EFAULT;
return 0;
}

SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
{
int error;
struct oldold_utsname tmp = {};

if (!name)
return -EFAULT;
if (!access_ok(VERIFY_WRITE, name, sizeof(struct oldold_utsname)))
return -EFAULT;

down_read(&uts_sem);
error = __copy_to_user(&name->sysname, &utsname()->sysname,
__OLD_UTS_LEN);
error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
error |= __copy_to_user(&name->nodename, &utsname()->nodename,
__OLD_UTS_LEN);
error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
error |= __copy_to_user(&name->release, &utsname()->release,
__OLD_UTS_LEN);
error |= __put_user(0, name->release + __OLD_UTS_LEN);
error |= __copy_to_user(&name->version, &utsname()->version,
__OLD_UTS_LEN);
error |= __put_user(0, name->version + __OLD_UTS_LEN);
error |= __copy_to_user(&name->machine, &utsname()->machine,
__OLD_UTS_LEN);
error |= __put_user(0, name->machine + __OLD_UTS_LEN);
memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN);
memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN);
memcpy(&tmp.release, &utsname()->release, __OLD_UTS_LEN);
memcpy(&tmp.version, &utsname()->version, __OLD_UTS_LEN);
memcpy(&tmp.machine, &utsname()->machine, __OLD_UTS_LEN);
up_read(&uts_sem);
if (copy_to_user(name, &tmp, sizeof(tmp)))
return -EFAULT;

if (!error && override_architecture(name))
error = -EFAULT;
if (!error && override_release(name->release, sizeof(name->release)))
error = -EFAULT;
return error ? -EFAULT : 0;
if (override_architecture(name))
return -EFAULT;
if (override_release(name->release, sizeof(name->release)))
return -EFAULT;
return 0;
}
#endif

Expand All @@ -1319,26 +1311,28 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len)

if (len < 0 || len > __NEW_UTS_LEN)
return -EINVAL;
down_write(&uts_sem);
errno = -EFAULT;
if (!copy_from_user(tmp, name, len)) {
struct new_utsname *u = utsname();
struct new_utsname *u;

down_write(&uts_sem);
u = utsname();
memcpy(u->nodename, tmp, len);
memset(u->nodename + len, 0, sizeof(u->nodename) - len);
errno = 0;
uts_proc_notify(UTS_PROC_HOSTNAME);
up_write(&uts_sem);
}
up_write(&uts_sem);
return errno;
}

#ifdef __ARCH_WANT_SYS_GETHOSTNAME

SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)
{
int i, errno;
int i;
struct new_utsname *u;
char tmp[__NEW_UTS_LEN + 1];

if (len < 0)
return -EINVAL;
Expand All @@ -1347,11 +1341,11 @@ SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)
i = 1 + strlen(u->nodename);
if (i > len)
i = len;
errno = 0;
if (copy_to_user(name, u->nodename, i))
errno = -EFAULT;
memcpy(tmp, u->nodename, i);
up_read(&uts_sem);
return errno;
if (copy_to_user(name, tmp, i))
return -EFAULT;
return 0;
}

#endif
Expand All @@ -1370,17 +1364,18 @@ SYSCALL_DEFINE2(setdomainname, char __user *, name, int, len)
if (len < 0 || len > __NEW_UTS_LEN)
return -EINVAL;

down_write(&uts_sem);
errno = -EFAULT;
if (!copy_from_user(tmp, name, len)) {
struct new_utsname *u = utsname();
struct new_utsname *u;

down_write(&uts_sem);
u = utsname();
memcpy(u->domainname, tmp, len);
memset(u->domainname + len, 0, sizeof(u->domainname) - len);
errno = 0;
uts_proc_notify(UTS_PROC_DOMAINNAME);
up_write(&uts_sem);
}
up_write(&uts_sem);
return errno;
}

Expand Down
24 changes: 10 additions & 14 deletions kernel/user_namespace.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -859,7 +859,16 @@ static ssize_t map_write(struct file *file, const char __user *buf,
unsigned idx;
struct uid_gid_extent extent;
char *kbuf = NULL, *pos, *next_line;
ssize_t ret = -EINVAL;
ssize_t ret;

/* Only allow < page size writes at the beginning of the file */
if ((*ppos != 0) || (count >= PAGE_SIZE))
return -EINVAL;

/* Slurp in the user data */
kbuf = memdup_user_nul(buf, count);
if (IS_ERR(kbuf))
return PTR_ERR(kbuf);

/*
* The userns_state_mutex serializes all writes to any given map.
Expand Down Expand Up @@ -895,19 +904,6 @@ static ssize_t map_write(struct file *file, const char __user *buf,
if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
goto out;

/* Only allow < page size writes at the beginning of the file */
ret = -EINVAL;
if ((*ppos != 0) || (count >= PAGE_SIZE))
goto out;

/* Slurp in the user data */
kbuf = memdup_user_nul(buf, count);
if (IS_ERR(kbuf)) {
ret = PTR_ERR(kbuf);
kbuf = NULL;
goto out;
}

/* Parse the user data */
ret = -EINVAL;
pos = kbuf;
Expand Down
Loading

0 comments on commit 4def196

Please sign in to comment.