[PATCH V2 v5.14.y] fuse: verify {g,u}id mount options correctly

[Eric Sandeen <sandeen@redhat.com>]

commit 049584807f1d797fc3078b68035450a9769eb5c3 upstream.

As was done in
0200679fc795 ("tmpfs: verify {g,u}id mount options correctly")
we need to validate that the requested uid and/or gid is representable in
the filesystem's idmapping.

Cribbing from the above commit log,

The contract for {g,u}id mount options and {g,u}id values in general set
from userspace has always been that they are translated according to the
caller's idmapping. In so far, fuse has been doing the correct thing.
But since fuse is mountable in unprivileged contexts it is also
necessary to verify that the resulting {k,g}uid is representable in the
namespace of the superblock.

Fixes: c30da2e981a7 ("fuse: convert to use the new mount API")
Cc: stable@vger.kernel.org # 5.4+
Signed-off-by: Eric Sandeen <sandeen@redhat.com>

---

V2: send the right patch :(

(compile-tested only)

NOTE: This can also be trivially fixed by including the dependency noted in the
original failure (84c215075b57) which renamed "fc" to "fsc", then using the original
upstream patch.

diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 4a7ebccd359e..1951fcf0d910 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -540,6 +540,8 @@ static int fuse_parse_param(struct fs_context *fc, struct fs_parameter *param)
 	struct fs_parse_result result;
 	struct fuse_fs_context *ctx = fc->fs_private;
 	int opt;
+	kuid_t kuid;
+	kgid_t kgid;
 
 	if (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE) {
 		/*
@@ -584,16 +586,30 @@ static int fuse_parse_param(struct fs_context *fc, struct fs_parameter *param)
 		break;
 
 	case OPT_USER_ID:
-		ctx->user_id = make_kuid(fc->user_ns, result.uint_32);
-		if (!uid_valid(ctx->user_id))
+		kuid =  make_kuid(fc->user_ns, result.uint_32);
+		if (!uid_valid(kuid))
 			return invalfc(fc, "Invalid user_id");
+		/*
+		 * The requested uid must be representable in the
+		 * filesystem's idmapping.
+		 */
+		if (!kuid_has_mapping(fc->user_ns, kuid))
+			return invalfc(fc, "Invalid user_id");
+		ctx->user_id = kuid;
 		ctx->user_id_present = true;
 		break;
 
 	case OPT_GROUP_ID:
-		ctx->group_id = make_kgid(fc->user_ns, result.uint_32);
-		if (!gid_valid(ctx->group_id))
+		kgid = make_kgid(fc->user_ns, result.uint_32);;
+		if (!gid_valid(kgid))
+			return invalfc(fc, "Invalid group_id");
+		/*
+		 * The requested gid must be representable in the
+		 * filesystem's idmapping.
+		 */
+		if (!kgid_has_mapping(fc->user_ns, kgid))
 			return invalfc(fc, "Invalid group_id");
+		ctx->group_id = kgid;
 		ctx->group_id_present = true;
 		break;