From: Greg KH <gregkh@linuxfoundation.org>
To: Rafael David Tinoco <rafael.tinoco@linaro.org>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
jannh@google.com, christian@brauner.io, serge@hallyn.com,
ebiederm@xmission.com, dan.rue@linaro.org,
naresh.kamboju@linaro.org
Subject: Re: [PATCH 4.4 34/47] userns: move user access out of the mutex
Date: Sun, 9 Sep 2018 11:03:33 +0200 [thread overview]
Message-ID: <20180909090333.GB4195@kroah.com> (raw)
In-Reply-To: <CABdQkv8Oxmy7ZcwAhKJ-tYJyqJCWba9+vtGCSgMS2aGymEzhsQ@mail.gmail.com>
On Sun, Sep 09, 2018 at 12:56:45AM -0300, Rafael David Tinoco wrote:
> Greg,
>
> On Fri, Sep 7, 2018 at 6:41 PM Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > 4.4-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Jann Horn <jannh@google.com>
> >
> > commit 5820f140edef111a9ea2ef414ab2428b8cb805b1 upstream.
> >
> > The old code would hold the userns_state_mutex indefinitely if
> > memdup_user_nul stalled due to e.g. a userfault region. Prevent that by
> > moving the memdup_user_nul in front of the mutex_lock().
> >
> > Note: This changes the error precedence of invalid buf/count/*ppos vs
> > map already written / capabilities missing.
> >
> > Fixes: 22d917d80e84 ("userns: Rework the user_namespace adding uid/gid...")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Jann Horn <jannh@google.com>
> > Acked-by: Christian Brauner <christian@brauner.io>
> > Acked-by: Serge Hallyn <serge@hallyn.com>
> > Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >
> > ---
> > kernel/user_namespace.c | 22 ++++++++++------------
> > 1 file changed, 10 insertions(+), 12 deletions(-)
> >
> > --- a/kernel/user_namespace.c
> > +++ b/kernel/user_namespace.c
> > @@ -604,7 +604,16 @@ static ssize_t map_write(struct file *fi
> > struct uid_gid_extent *extent = NULL;
> > unsigned long page = 0;
> > char *kbuf, *pos, *next_line;
> > - ssize_t ret = -EINVAL;
> > + ssize_t ret;
> > +
> > + /* Only allow < page size writes at the beginning of the file */
> > + if ((*ppos != 0) || (count >= PAGE_SIZE))
> > + return -EINVAL;
> > +
> > + /* Slurp in the user data */
> > + if (copy_from_user(kbuf, buf, count))
> > + return -EFAULT;
> > + kbuf[count] = '\0';
>
> Naresh will soon report issues found by LKFT on user_ns for 4.4 kernel
> for this review round.
>
> selftests: mount_run_tests.sh [FAIL]
> write to /proc/self/uid_map failed: Bad address
>
> LTP: user_namespace2 1 TBROK : safe_macros.c:452: userns02.c:95:
> write(6,0x7ffc133113d0,18446744073709551615) failed: errno=EFAULT(14):
> Bad address
>
> I believe the EFAULT was caused because when changing code from
> "memdup_user_nul" to "copy_from_user", for the older kernels, you
> missed allocating the slab object for "kbuf", like memdup_user_nul()
> does.
>
> Note: This likely applies to 3.18 as well.
>
> We are finishing functional tests without this patch, but we wanted to
> make you aware right away.
Nice catch. Ugh, that's all my fault for when I backported this. Let
me go work on that now...
greg k-h
next prev parent reply other threads:[~2018-09-09 9:03 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-07 21:09 [PATCH 4.4 00/47] 4.4.155-stable review Greg Kroah-Hartman
2018-09-07 21:09 ` [PATCH 4.4 01/47] net: 6lowpan: fix reserved space for single frames Greg Kroah-Hartman
2018-09-07 21:09 ` [PATCH 4.4 02/47] net: mac802154: tx: expand tailroom if necessary Greg Kroah-Hartman
2018-09-07 21:09 ` [PATCH 4.4 03/47] 9p/net: Fix zero-copy path in the 9p virtio transport Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 04/47] net: lan78xx: Fix misplaced tasklet_schedule() call Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 05/47] spi: davinci: fix a NULL pointer dereference Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 06/47] drm/i915/userptr: reject zero user_size Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 07/47] powerpc/fadump: handle crash memory ranges array index overflow Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 08/47] powerpc/pseries: Fix endianness while restoring of r3 in MCE handler Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 09/47] fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 10/47] 9p/virtio: fix off-by-one error in sg list bounds check Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 11/47] net/9p/client.c: version pointer uninitialized Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 12/47] net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 13/47] x86/mm/pat: Fix L1TF stable backport for CPA, 2nd call Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 14/47] dm cache metadata: save in-core policy_hint_size to on-disk superblock Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 15/47] iio: ad9523: Fix displayed phase Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 16/47] iio: ad9523: Fix return value for ad952x_store() Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 17/47] vmw_balloon: fix inflation of 64-bit GFNs Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 18/47] vmw_balloon: do not use 2MB without batching Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 19/47] vmw_balloon: VMCI_DOORBELL_SET does not check status Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 20/47] vmw_balloon: fix VMCI use when balloon built into kernel Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 21/47] tracing: Do not call start/stop() functions when tracing_on does not change Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 22/47] tracing/blktrace: Fix to allow setting same value Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 23/47] kthread, tracing: Dont expose half-written comm when creating kthreads Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 24/47] uprobes: Use synchronize_rcu() not synchronize_sched() Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 25/47] 9p: fix multiple NULL-pointer-dereferences Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 26/47] PM / sleep: wakeup: Fix build error caused by missing SRCU support Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 27/47] pnfs/blocklayout: off by one in bl_map_stripe() Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 28/47] ARM: tegra: Fix Tegra30 Cardhu PCA954x reset Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 29/47] mm/tlb: Remove tlb_remove_table() non-concurrent condition Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 30/47] iommu/vt-d: Add definitions for PFSID Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 31/47] iommu/vt-d: Fix dev iotlb pfsid use Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 32/47] osf_getdomainname(): use copy_to_user() Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 33/47] sys: dont hold uts_sem while accessing userspace memory Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 34/47] userns: move user access out of the mutex Greg Kroah-Hartman
2018-09-09 3:56 ` Rafael David Tinoco
2018-09-09 9:03 ` Greg KH [this message]
2018-09-09 9:16 ` Greg KH
2018-09-09 9:29 ` Greg KH
2018-09-07 21:10 ` [PATCH 4.4 35/47] ubifs: Fix memory leak in lprobs self-check Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 36/47] Revert "UBIFS: Fix potential integer overflow in allocation" Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 37/47] ubifs: Check data node size before truncate Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 38/47] ubifs: Fix synced_i_size calculation for xattr inodes Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 39/47] pwm: tiehrpwm: Fix disabling of output of PWMs Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 40/47] fb: fix lost console when the user unplugs a USB adapter Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 41/47] udlfb: set optimal write delay Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 42/47] getxattr: use correct xattr length Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 43/47] bcache: release dc->writeback_lock properly in bch_writeback_thread() Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 44/47] perf auxtrace: Fix queue resize Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 45/47] fs/quota: Fix spectre gadget in do_quotactl Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 4.4 46/47] x86/io: add interface to reserve io memtype for a resource range. (v1.1) Greg Kroah-Hartman
2018-09-07 22:39 ` [PATCH 4.4 00/47] 4.4.155-stable review Nathan Chancellor
2018-09-08 21:13 ` Guenter Roeck
2018-09-09 9:01 ` Greg Kroah-Hartman
2018-09-09 15:52 ` Guenter Roeck
2018-09-09 4:52 ` Naresh Kamboju
2018-09-09 9:17 ` Greg Kroah-Hartman
2018-09-10 1:27 ` Dan Rue
2018-09-10 15:01 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180909090333.GB4195@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=christian@brauner.io \
--cc=dan.rue@linaro.org \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=naresh.kamboju@linaro.org \
--cc=rafael.tinoco@linaro.org \
--cc=serge@hallyn.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox