All of lore.kernel.org
 help / color / mirror / Atom feed
From: Thiago Rafael Becker <thiago.becker@gmail.com>
To: viro@zeniv.linux.org.uk, schwidefsky@de.ibm.com,
	willy@infradead.org, bfields@fieldses.org, neilb@suse.com
Cc: linux-nfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Thiago Rafael Becker <thiago.becker@gmail.com>
Subject: [PATCH v5] kernel: make groups_sort calling a responsibility group_info allocators
Date: Mon, 11 Dec 2017 13:14:20 -0200	[thread overview]
Message-ID: <20171211151420.18655-1-thiago.becker@gmail.com> (raw)
In-Reply-To: <20171211142708.GA23284@bombadil.infradead.org>

In testing, we found that nfsd threads may call set_groups in parallel for
the same entry cached in auth.unix.gid, racing in the call of groups_sort,
corrupting the groups for that entry and leading to permission denials for
the client.

This patch:
 - Make groups_sort globally visible.
 - Move the call to groups_sort to the modifiers of group_info
 - Remove the call to groups_sort from set_groups

Signed-off-by: Thiago Rafael Becker <thiago.becker@gmail.com>
---
 arch/s390/kernel/compat_linux.c   | 1 +
 fs/nfsd/auth.c                    | 3 +++
 include/linux/cred.h              | 1 +
 kernel/groups.c                   | 5 +++--
 kernel/uid16.c                    | 1 +
 net/sunrpc/auth_gss/gss_rpc_xdr.c | 1 +
 net/sunrpc/auth_gss/svcauth_gss.c | 1 +
 net/sunrpc/svcauth_unix.c         | 2 ++
 8 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/arch/s390/kernel/compat_linux.c b/arch/s390/kernel/compat_linux.c
index f04db37..59eea9c 100644
--- a/arch/s390/kernel/compat_linux.c
+++ b/arch/s390/kernel/compat_linux.c
@@ -263,6 +263,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setgroups16, int, gidsetsize, u16 __user *, grouplis
 		return retval;
 	}
 
+	groups_sort(group_info);
 	retval = set_current_groups(group_info);
 	put_group_info(group_info);
 
diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c
index 697f8ae..f650e47 100644
--- a/fs/nfsd/auth.c
+++ b/fs/nfsd/auth.c
@@ -60,6 +60,9 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp)
 				gi->gid[i] = exp->ex_anon_gid;
 			else
 				gi->gid[i] = rqgi->gid[i];
+
+			/* Each thread allocates its own gi, no race */
+			groups_sort(gi);
 		}
 	} else {
 		gi = get_group_info(rqgi);
diff --git a/include/linux/cred.h b/include/linux/cred.h
index 099058e..6312865 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -83,6 +83,7 @@ extern int set_current_groups(struct group_info *);
 extern void set_groups(struct cred *, struct group_info *);
 extern int groups_search(const struct group_info *, kgid_t);
 extern bool may_setgroups(void);
+extern void groups_sort(struct group_info *);
 
 /*
  * The security context of a task
diff --git a/kernel/groups.c b/kernel/groups.c
index e357bc8..daae2f2 100644
--- a/kernel/groups.c
+++ b/kernel/groups.c
@@ -86,11 +86,12 @@ static int gid_cmp(const void *_a, const void *_b)
 	return gid_gt(a, b) - gid_lt(a, b);
 }
 
-static void groups_sort(struct group_info *group_info)
+void groups_sort(struct group_info *group_info)
 {
 	sort(group_info->gid, group_info->ngroups, sizeof(*group_info->gid),
 	     gid_cmp, NULL);
 }
+EXPORT_SYMBOL(groups_sort);
 
 /* a simple bsearch */
 int groups_search(const struct group_info *group_info, kgid_t grp)
@@ -122,7 +123,6 @@ int groups_search(const struct group_info *group_info, kgid_t grp)
 void set_groups(struct cred *new, struct group_info *group_info)
 {
 	put_group_info(new->group_info);
-	groups_sort(group_info);
 	get_group_info(group_info);
 	new->group_info = group_info;
 }
@@ -206,6 +206,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsize, gid_t __user *, grouplist)
 		return retval;
 	}
 
+	groups_sort(group_info);
 	retval = set_current_groups(group_info);
 	put_group_info(group_info);
 
diff --git a/kernel/uid16.c b/kernel/uid16.c
index ce74a49..ef1da2a 100644
--- a/kernel/uid16.c
+++ b/kernel/uid16.c
@@ -192,6 +192,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidsetsize, old_gid_t __user *, grouplist)
 		return retval;
 	}
 
+	groups_sort(group_info);
 	retval = set_current_groups(group_info);
 	put_group_info(group_info);
 
diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c
index c4778ca..444380f 100644
--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c
+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
@@ -231,6 +231,7 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr,
 			goto out_free_groups;
 		creds->cr_group_info->gid[i] = kgid;
 	}
+	groups_sort(creds->cr_group_info);
 
 	return 0;
 out_free_groups:
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 5dd4e6c..2653119 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -481,6 +481,7 @@ static int rsc_parse(struct cache_detail *cd,
 				goto out;
 			rsci.cred.cr_group_info->gid[i] = kgid;
 		}
+		groups_sort(rsci.cred.cr_group_info);
 
 		/* mech name */
 		len = qword_get(&mesg, buf, mlen);
diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c
index 740b67d..af7f28f 100644
--- a/net/sunrpc/svcauth_unix.c
+++ b/net/sunrpc/svcauth_unix.c
@@ -520,6 +520,7 @@ static int unix_gid_parse(struct cache_detail *cd,
 		ug.gi->gid[i] = kgid;
 	}
 
+	groups_sort(ug.gi);
 	ugp = unix_gid_lookup(cd, uid);
 	if (ugp) {
 		struct cache_head *ch;
@@ -819,6 +820,7 @@ svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp)
 		kgid_t kgid = make_kgid(&init_user_ns, svc_getnl(argv));
 		cred->cr_group_info->gid[i] = kgid;
 	}
+	groups_sort(cred->cr_group_info);
 	if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {
 		*authp = rpc_autherr_badverf;
 		return SVC_DENIED;
-- 
2.9.5


  reply	other threads:[~2017-12-11 15:14 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-30 13:04 [PATCH 0/3, V2] Move groups_sort outisde of set_groups Thiago Rafael Becker
2017-11-30 13:04 ` [PATCH 1/3, V2] kernel: make groups_sort globally visible Thiago Rafael Becker
2017-11-30 13:04 ` [PATCH 2/3, V2] kernel: Move groups_sort to the caller of set_groups Thiago Rafael Becker
2017-12-03 12:56   ` kbuild test robot
2017-12-04  1:42   ` NeilBrown
2017-12-04 15:39     ` Thiago Rafael Becker
2017-12-04 15:47       ` J. Bruce Fields
2017-12-04 19:00         ` Thiago Rafael Becker
2017-12-04 20:11       ` NeilBrown
2017-12-05 21:28         ` Matthew Wilcox
2017-12-05 22:05           ` NeilBrown
2017-12-05 23:03           ` Thiago Rafael Becker
2017-12-05 23:23             ` Matthew Wilcox
2017-12-19 16:30         ` J. Bruce Fields
2017-12-19 20:14           ` NeilBrown
2017-11-30 13:04 ` [PATCH 3/3, V2] kernel: set_groups doesn't call groups_sort anymore Thiago Rafael Becker
2017-12-05 14:05 ` [PATCH 0/3 v3] Move groups_sort outisde of set_groups Thiago Rafael Becker
2017-12-05 14:05   ` [PATCH 1/3 v3] kernel: make groups_sort globally visible Thiago Rafael Becker
2017-12-05 14:05   ` [PATCH 2/3 v3] kernel: Move groups_sort to the caller of set_groups Thiago Rafael Becker
2017-12-05 18:55     ` [PATCH 2/3] " Thiago Rafael Becker
2017-12-05 22:08       ` NeilBrown
2017-12-05 18:57     ` [PATCH 2/3 v3] " Thiago Rafael Becker
2017-12-05 14:05   ` [PATCH 3/3 v3] kernel: set_groups doesn't call groups_sort anymore Thiago Rafael Becker
2017-12-06 19:27   ` [PATCH 0/3 v3] Move groups_sort outisde of set_groups J. Bruce Fields
2017-12-11 13:28   ` [PATCH v4] kernel: make groups_sort calling a responsibility group_info allocators Thiago Rafael Becker
2017-12-11 14:27     ` Matthew Wilcox
2017-12-11 15:14       ` Thiago Rafael Becker [this message]
2017-12-11 15:24         ` [PATCH v5] " Matthew Wilcox
2017-12-11 16:18         ` J. Bruce Fields
2017-12-11 21:43         ` NeilBrown
2017-12-11 21:43         ` NeilBrown
2018-01-02 14:54           ` David Howells
2018-01-02 21:01             ` [PATCH] Documentation: security/credentials.rst: explain need to sort group_list NeilBrown
2018-01-02 21:04               ` Matthew Wilcox
2018-01-06 18:09                 ` Jonathan Corbet
2018-01-06 20:20                   ` Matthew Wilcox
2018-01-06 22:36                     ` Randy Dunlap
2018-01-08 16:36                     ` Jonathan Corbet
2018-01-07 23:39                   ` NeilBrown
2018-01-08 16:40                     ` Jonathan Corbet
2018-01-08 16:40                       ` Jonathan Corbet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171211151420.18655-1-thiago.becker@gmail.com \
    --to=thiago.becker@gmail.com \
    --cc=bfields@fieldses.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=neilb@suse.com \
    --cc=schwidefsky@de.ibm.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.