Merge branch 'userns-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace

Pull namespace fixes from Eric Biederman: "This is a set of four fairly obvious bug fixes: - a switch from d_find_alias to d_find_any_alias because the xattr code perversely takes a dentry - two mutex vs copy_to_user fixes from Jann Horn - a fix to use a sanitized size not the size userspace passed in from Christian Brauner" * 'userns-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: getxattr: use correct xattr length sys: don't hold uts_sem while accessing userspace memory userns: move user access out of the mutex cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias()
author: Linus Torvalds <torvalds@linux-foundation.org> 2018-08-24 12:25:39 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2018-08-24 12:25:39 -0400
commit: 4def1963608ed2b61aca5b52fdedb4ca2798820c (patch)
tree: 83b36e8ff3c5eabe0d235f863adcf54f838f838a /kernel
parent: 5e8704ac1cfa9fceef94fcc457e18613b1589b34 (diff)
parent: 82c9a927bc5df6e06b72d206d24a9d10cced4eb5 (diff)
3 files changed, 80 insertions, 80 deletions
diff --git a/kernel/sys.c b/kernel/sys.c
index e27b51d3facd..cf5c67533ff1 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1237,18 +1237,19 @@ static int override_release(char __user *release, size_t len)
 SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)
 {
-        int errno = 0;
+        struct new_utsname tmp;
        down_read(&uts_sem);
-        if (copy_to_user(name, utsname(), sizeof *name))
+        memcpy(&tmp, utsname(), sizeof(tmp));
-                errno = -EFAULT;
        up_read(&uts_sem);
+        if (copy_to_user(name, &tmp, sizeof(tmp)))
+                return -EFAULT;
-        if (!errno && override_release(name->release, sizeof(name->release)))
+        if (override_release(name->release, sizeof(name->release)))
-                errno = -EFAULT;
+                return -EFAULT;
-        if (!errno && override_architecture(name))
+        if (override_architecture(name))
-                errno = -EFAULT;
+                return -EFAULT;
-        return errno;
+        return 0;
 }
 #ifdef __ARCH_WANT_SYS_OLD_UNAME
@@ -1257,55 +1258,46 @@ SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)
 */
 SYSCALL_DEFINE1(uname, struct old_utsname __user *, name)
 {
-        int error = 0;
+        struct old_utsname tmp;
        if (!name)
                return -EFAULT;
        down_read(&uts_sem);
-        if (copy_to_user(name, utsname(), sizeof(*name)))
+        memcpy(&tmp, utsname(), sizeof(tmp));
-                error = -EFAULT;
        up_read(&uts_sem);
+        if (copy_to_user(name, &tmp, sizeof(tmp)))
+                return -EFAULT;
-        if (!error && override_release(name->release, sizeof(name->release)))
+        if (override_release(name->release, sizeof(name->release)))
-                error = -EFAULT;
+                return -EFAULT;
-        if (!error && override_architecture(name))
+        if (override_architecture(name))
-                error = -EFAULT;
+                return -EFAULT;
-        return error;
+        return 0;
 }
 SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
 {
-        int error;
+        struct oldold_utsname tmp = {};
        if (!name)
                return -EFAULT;
-        if (!access_ok(VERIFY_WRITE, name, sizeof(struct oldold_utsname)))
-                return -EFAULT;
        down_read(&uts_sem);
-        error = __copy_to_user(&name->sysname, &utsname()->sysname,
+        memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN);
-                               __OLD_UTS_LEN);
+        memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN);
-        error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
+        memcpy(&tmp.release, &utsname()->release, __OLD_UTS_LEN);
-        error |= __copy_to_user(&name->nodename, &utsname()->nodename,
+        memcpy(&tmp.version, &utsname()->version, __OLD_UTS_LEN);
-                                __OLD_UTS_LEN);
+        memcpy(&tmp.machine, &utsname()->machine, __OLD_UTS_LEN);
-        error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
-        error |= __copy_to_user(&name->release, &utsname()->release,
-                                __OLD_UTS_LEN);
-        error |= __put_user(0, name->release + __OLD_UTS_LEN);
-        error |= __copy_to_user(&name->version, &utsname()->version,
-                                __OLD_UTS_LEN);
-        error |= __put_user(0, name->version + __OLD_UTS_LEN);
-        error |= __copy_to_user(&name->machine, &utsname()->machine,
-                                __OLD_UTS_LEN);
-        error |= __put_user(0, name->machine + __OLD_UTS_LEN);
        up_read(&uts_sem);
+        if (copy_to_user(name, &tmp, sizeof(tmp)))
+                return -EFAULT;
-        if (!error && override_architecture(name))
+        if (override_architecture(name))
-                error = -EFAULT;
+                return -EFAULT;
-        if (!error && override_release(name->release, sizeof(name->release)))
+        if (override_release(name->release, sizeof(name->release)))
-                error = -EFAULT;
+                return -EFAULT;
-        return error ? -EFAULT : 0;
+        return 0;
 }
 #endif
@@ -1319,17 +1311,18 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len)
        if (len < 0 || len > __NEW_UTS_LEN)
                return -EINVAL;
-        down_write(&uts_sem);
        errno = -EFAULT;
        if (!copy_from_user(tmp, name, len)) {
-                struct new_utsname *u = utsname();
+                struct new_utsname *u;
+                down_write(&uts_sem);
+                u = utsname();
                memcpy(u->nodename, tmp, len);
                memset(u->nodename + len, 0, sizeof(u->nodename) - len);
                errno = 0;
                uts_proc_notify(UTS_PROC_HOSTNAME);
+                up_write(&uts_sem);
        }
-        up_write(&uts_sem);
        return errno;
 }
@@ -1337,8 +1330,9 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len)
 SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)
 {
-        int i, errno;
+        int i;
        struct new_utsname *u;
+        char tmp[__NEW_UTS_LEN + 1];
        if (len < 0)
                return -EINVAL;
@@ -1347,11 +1341,11 @@ SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)
        i = 1 + strlen(u->nodename);
        if (i > len)
                i = len;
-        errno = 0;
+        memcpy(tmp, u->nodename, i);
-        if (copy_to_user(name, u->nodename, i))
-                errno = -EFAULT;
        up_read(&uts_sem);
-        return errno;
+        if (copy_to_user(name, tmp, i))
+                return -EFAULT;
+        return 0;
 }
 #endif
@@ -1370,17 +1364,18 @@ SYSCALL_DEFINE2(setdomainname, char __user *, name, int, len)
        if (len < 0 || len > __NEW_UTS_LEN)
                return -EINVAL;
-        down_write(&uts_sem);
        errno = -EFAULT;
        if (!copy_from_user(tmp, name, len)) {
-                struct new_utsname *u = utsname();
+                struct new_utsname *u;
+                down_write(&uts_sem);
+                u = utsname();
                memcpy(u->domainname, tmp, len);
                memset(u->domainname + len, 0, sizeof(u->domainname) - len);
                errno = 0;
                uts_proc_notify(UTS_PROC_DOMAINNAME);
+                up_write(&uts_sem);
        }
-        up_write(&uts_sem);
        return errno;
 }
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index c3d7583fcd21..e5222b5fb4fe 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -859,7 +859,16 @@ static ssize_t map_write(struct file *file, const char __user *buf,
        unsigned idx;
        struct uid_gid_extent extent;
        char *kbuf = NULL, *pos, *next_line;
-        ssize_t ret = -EINVAL;
+        ssize_t ret;
+        /* Only allow < page size writes at the beginning of the file */
+        if ((*ppos != 0) || (count >= PAGE_SIZE))
+                return -EINVAL;
+        /* Slurp in the user data */
+        kbuf = memdup_user_nul(buf, count);
+        if (IS_ERR(kbuf))
+                return PTR_ERR(kbuf);
        /*
         * The userns_state_mutex serializes all writes to any given map.
@@ -895,19 +904,6 @@ static ssize_t map_write(struct file *file, const char __user *buf,
        if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
                goto out;
-        /* Only allow < page size writes at the beginning of the file */
-        ret = -EINVAL;
-        if ((*ppos != 0) || (count >= PAGE_SIZE))
-                goto out;
-        /* Slurp in the user data */
-        kbuf = memdup_user_nul(buf, count);
-        if (IS_ERR(kbuf)) {
-                ret = PTR_ERR(kbuf);
-                kbuf = NULL;
-                goto out;
-        }
        /* Parse the user data */
        ret = -EINVAL;
        pos = kbuf;
diff --git a/kernel/utsname_sysctl.c b/kernel/utsname_sysctl.c
index 233cd8fc6910..258033d62cb3 100644
--- a/kernel/utsname_sysctl.c
+++ b/kernel/utsname_sysctl.c
@@ -18,7 +18,7 @@
 #ifdef CONFIG_PROC_SYSCTL
-static void *get_uts(struct ctl_table *table, int write)
+static void *get_uts(struct ctl_table *table)
 {
        char *which = table->data;
        struct uts_namespace *uts_ns;
@@ -26,21 +26,9 @@ static void *get_uts(struct ctl_table *table, int write)
        uts_ns = current->nsproxy->uts_ns;
        which = (which - (char *)&init_uts_ns) + (char *)uts_ns;
-        if (!write)
-                down_read(&uts_sem);
-        else
-                down_write(&uts_sem);
        return which;
 }
-static void put_uts(struct ctl_table *table, int write, void *which)
-{
-        if (!write)
-                up_read(&uts_sem);
-        else
-                up_write(&uts_sem);
-}
 /*
 *      Special case of dostring for the UTS structure. This has locks
 *      to observe. Should this be in kernel/sys.c ????
@@ -50,13 +38,34 @@ static int proc_do_uts_string(struct ctl_table *table, int write,
 {
        struct ctl_table uts_table;
        int r;
+        char tmp_data[__NEW_UTS_LEN + 1];
        memcpy(&uts_table, table, sizeof(uts_table));
-        uts_table.data = get_uts(table, write);
+        uts_table.data = tmp_data;
+        /*
+         * Buffer the value in tmp_data so that proc_dostring() can be called
+         * without holding any locks.
+         * We also need to read the original value in the write==1 case to
+         * support partial writes.
+         */
+        down_read(&uts_sem);
+        memcpy(tmp_data, get_uts(table), sizeof(tmp_data));
+        up_read(&uts_sem);
        r = proc_dostring(&uts_table, write, buffer, lenp, ppos);
-        put_uts(table, write, uts_table.data);
-        if (write)
+        if (write) {
+                /*
+                 * Write back the new value.
+                 * Note that, since we dropped uts_sem, the result can
+                 * theoretically be incorrect if there are two parallel writes
+                 * at non-zero offsets to the same sysctl.
+                 */
+                down_write(&uts_sem);
+                memcpy(get_uts(table), tmp_data, sizeof(tmp_data));
+                up_write(&uts_sem);
                proc_sys_poll_notify(table->poll);
+        }
        return r;
 }
author	Linus Torvalds <torvalds@linux-foundation.org>	2018-08-24 12:25:39 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2018-08-24 12:25:39 -0400
commit	4def1963608ed2b61aca5b52fdedb4ca2798820c (patch)
tree	83b36e8ff3c5eabe0d235f863adcf54f838f838a /kernel
parent	5e8704ac1cfa9fceef94fcc457e18613b1589b34 (diff)
parent	82c9a927bc5df6e06b72d206d24a9d10cced4eb5 (diff)