From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756543AbcKBRZC (ORCPT ); Wed, 2 Nov 2016 13:25:02 -0400 Received: from thejh.net ([37.221.195.125]:34866 "EHLO thejh.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756826AbcKBRY7 (ORCPT ); Wed, 2 Nov 2016 13:24:59 -0400 Date: Wed, 2 Nov 2016 18:24:55 +0100 From: Jann Horn To: Oleg Nesterov Cc: Seth Forshee , "Eric W. Biederman" , Doug Ledford , Al Viro , Tejun Heo , Roland McGrath , linux-kernel@vger.kernel.org Subject: Re: [PATCH] signal: fix overflow_uid signal sender Message-ID: <20161102172455.GE8196@pc.thejh.net> References: <1477929262-2531-1-git-send-email-jann@thejh.net> <20161102181640.GA1112@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8S1fMsFYqgBC+BN/" Content-Disposition: inline In-Reply-To: <20161102181640.GA1112@redhat.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --8S1fMsFYqgBC+BN/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 02, 2016 at 07:16:41PM +0100, Oleg Nesterov wrote: > On 10/31, Jann Horn wrote: > > > > static inline void userns_fixup_signal_uid(struct siginfo *info, struc= t task_struct *t) > > { > > - if (current_user_ns() =3D=3D task_cred_xxx(t, user_ns)) > > + if (&init_user_ns =3D=3D task_cred_xxx(t, user_ns)) > > return; > > =20 > > if (SI_FROMKERNEL(info)) > > @@ -959,7 +959,7 @@ static inline void userns_fixup_signal_uid(struct s= iginfo *info, struct task_str > > =20 > > rcu_read_lock(); > > info->si_uid =3D from_kuid_munged(task_cred_xxx(t, user_ns), > > - make_kuid(current_user_ns(), info->si_uid)); > > + make_kuid(&init_user_ns, info->si_uid)); > > rcu_read_unlock(); > > } > > #else > > @@ -1027,7 +1027,8 @@ static int __send_signal(int sig, struct siginfo = *info, struct task_struct *t, > > q->info.si_code =3D SI_USER; > > q->info.si_pid =3D task_tgid_nr_ns(current, > > task_active_pid_ns(t)); > > - q->info.si_uid =3D from_kuid_munged(current_user_ns(), current_uid(= )); > > + q->info.si_uid =3D from_kuid(&init_user_ns, > > + current_uid()); >=20 > Looks good to me at first glance, but I think this needs an ack from Eric. >=20 > I have to admit that I forgot how uid_map/etc actually works, I can't > even recall if from_kuid(init_user_ns, xxx) =3D=3D __kuid_val(xxx) or not, > although this doesn't really matter. Yes, from_kuid(&init_user_ns, xxx) =3D=3D __kuid_val(xxx). For values from 0 to 0xfffffffe, the uid_map of init_user_ns is an identity map (and it can't be changed), and for 0xffffffff, which isn't mapped, it returns 0xffffffff to denote failure. --8S1fMsFYqgBC+BN/ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJYGiFnAAoJED4KNFJOeCOosSkP/2G6+C0Wdkw2qj5UOUpWlBvk 5dI1kyuzhPQVCHgWbLB3kwQk5oMNMuvL55R9GXDwxE7o+fVeL8Nb9gjhJiDdnp1l ii6D8HMQBNrQJ5XH4gerkn4Vmibqu1+B9OGbUqJSFTdIizBQsTjkTSFsm0YzS5Hs 6HrzjgzHMMhCrGfnt5hy0Uwp+JO2/93QNCYisEmO/MiqELODDjgrB3KsM5l0TzHW 4y5NFSv0VMu2540lZNjvK8TfxzEemjF9hExXg+keNl40jlxNXehtV7g823wQUAzw Oo/73mOY+VeP4sOPGwfVdPEoQGCa8f/wcTFumreo/AWFB7UuyKa/xuNjFZWig+Xa IxtIBOLvv7aOp0zzEKLiFCLkQcXBG1diMx6RfJ1kiCevOoZqQWb/uHiRO32U/3mt bfTRSLBKKt4yTIr/2CKmXHmz/z27zHJpn9z0ZpjQ7E4osy1ve/X5IqBKtYeXiOgX jpcumrdTdHudwjnsuy4KjfrUDPel2SKJ0lfVyK1i20QzMS3h186XwzvxTNy10uFR kcGfMb6r+2vbOHIxeIFKL9UGSBFVIkSx13aR5TvhUkWAn/3mAVXhaiJxbmfuRWBC aay0hGW9FLM++TCkTpe05h63jOQJBO1lysu/i6Vz8tW+OKt9yJ1OH8kKJdbzdY31 QQTmRn2WmpHrPZU5QyZu =sres -----END PGP SIGNATURE----- --8S1fMsFYqgBC+BN/--