Merge branch 'userns-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull namespace fixes from Eric Biederman:
"This is a set of four fairly obvious bug fixes:
- a switch from d_find_alias to d_find_any_alias because the xattr
code perversely takes a dentry
- two mutex vs copy_to_user fixes from Jann Horn
- a fix to use a sanitized size not the size userspace passed in from
Christian Brauner"
* 'userns-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
getxattr: use correct xattr length
sys: don't hold uts_sem while accessing userspace memory
userns: move user access out of the mutex
cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias()
This commit is contained in:
Linus Torvalds
95
kernel/sys.c
95
kernel/sys.c
@@ -1237,18 +1237,19 @@ static int override_release(char __user *release, size_t len)
|
||||
|
||||
SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)
|
||||
{
|
||||
int errno = 0;
|
||||
struct new_utsname tmp;
|
||||
|
||||
down_read(&uts_sem);
|
||||
if (copy_to_user(name, utsname(), sizeof *name))
|
||||
errno = -EFAULT;
|
||||
memcpy(&tmp, utsname(), sizeof(tmp));
|
||||
up_read(&uts_sem);
|
||||
if (copy_to_user(name, &tmp, sizeof(tmp)))
|
||||
return -EFAULT;
|
||||
|
||||
if (!errno && override_release(name->release, sizeof(name->release)))
|
||||
errno = -EFAULT;
|
||||
if (!errno && override_architecture(name))
|
||||
errno = -EFAULT;
|
||||
return errno;
|
||||
if (override_release(name->release, sizeof(name->release)))
|
||||
return -EFAULT;
|
||||
if (override_architecture(name))
|
||||
return -EFAULT;
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef __ARCH_WANT_SYS_OLD_UNAME
|
||||
@@ -1257,55 +1258,46 @@ SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)
|
||||
*/
|
||||
SYSCALL_DEFINE1(uname, struct old_utsname __user *, name)
|
||||
{
|
||||
int error = 0;
|
||||
struct old_utsname tmp;
|
||||
|
||||
if (!name)
|
||||
return -EFAULT;
|
||||
|
||||
down_read(&uts_sem);
|
||||
if (copy_to_user(name, utsname(), sizeof(*name)))
|
||||
error = -EFAULT;
|
||||
memcpy(&tmp, utsname(), sizeof(tmp));
|
||||
up_read(&uts_sem);
|
||||
if (copy_to_user(name, &tmp, sizeof(tmp)))
|
||||
return -EFAULT;
|
||||
|
||||
if (!error && override_release(name->release, sizeof(name->release)))
|
||||
error = -EFAULT;
|
||||
if (!error && override_architecture(name))
|
||||
error = -EFAULT;
|
||||
return error;
|
||||
if (override_release(name->release, sizeof(name->release)))
|
||||
return -EFAULT;
|
||||
if (override_architecture(name))
|
||||
return -EFAULT;
|
||||
return 0;
|
||||
}
|
||||
|
||||
SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
|
||||
{
|
||||
int error;
|
||||
struct oldold_utsname tmp = {};
|
||||
|
||||
if (!name)
|
||||
return -EFAULT;
|
||||
if (!access_ok(VERIFY_WRITE, name, sizeof(struct oldold_utsname)))
|
||||
return -EFAULT;
|
||||
|
||||
down_read(&uts_sem);
|
||||
error = __copy_to_user(&name->sysname, &utsname()->sysname,
|
||||
__OLD_UTS_LEN);
|
||||
error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
|
||||
error |= __copy_to_user(&name->nodename, &utsname()->nodename,
|
||||
__OLD_UTS_LEN);
|
||||
error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
|
||||
error |= __copy_to_user(&name->release, &utsname()->release,
|
||||
__OLD_UTS_LEN);
|
||||
error |= __put_user(0, name->release + __OLD_UTS_LEN);
|
||||
error |= __copy_to_user(&name->version, &utsname()->version,
|
||||
__OLD_UTS_LEN);
|
||||
error |= __put_user(0, name->version + __OLD_UTS_LEN);
|
||||
error |= __copy_to_user(&name->machine, &utsname()->machine,
|
||||
__OLD_UTS_LEN);
|
||||
error |= __put_user(0, name->machine + __OLD_UTS_LEN);
|
||||
memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN);
|
||||
memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN);
|
||||
memcpy(&tmp.release, &utsname()->release, __OLD_UTS_LEN);
|
||||
memcpy(&tmp.version, &utsname()->version, __OLD_UTS_LEN);
|
||||
memcpy(&tmp.machine, &utsname()->machine, __OLD_UTS_LEN);
|
||||
up_read(&uts_sem);
|
||||
if (copy_to_user(name, &tmp, sizeof(tmp)))
|
||||
return -EFAULT;
|
||||
|
||||
if (!error && override_architecture(name))
|
||||
error = -EFAULT;
|
||||
if (!error && override_release(name->release, sizeof(name->release)))
|
||||
error = -EFAULT;
|
||||
return error ? -EFAULT : 0;
|
||||
if (override_architecture(name))
|
||||
return -EFAULT;
|
||||
if (override_release(name->release, sizeof(name->release)))
|
||||
return -EFAULT;
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -1319,17 +1311,18 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len)
|
||||
|
||||
if (len < 0 || len > __NEW_UTS_LEN)
|
||||
return -EINVAL;
|
||||
down_write(&uts_sem);
|
||||
errno = -EFAULT;
|
||||
if (!copy_from_user(tmp, name, len)) {
|
||||
struct new_utsname *u = utsname();
|
||||
struct new_utsname *u;
|
||||
|
||||
down_write(&uts_sem);
|
||||
u = utsname();
|
||||
memcpy(u->nodename, tmp, len);
|
||||
memset(u->nodename + len, 0, sizeof(u->nodename) - len);
|
||||
errno = 0;
|
||||
uts_proc_notify(UTS_PROC_HOSTNAME);
|
||||
up_write(&uts_sem);
|
||||
}
|
||||
up_write(&uts_sem);
|
||||
return errno;
|
||||
}
|
||||
|
||||
@@ -1337,8 +1330,9 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len)
|
||||
|
||||
SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)
|
||||
{
|
||||
int i, errno;
|
||||
int i;
|
||||
struct new_utsname *u;
|
||||
char tmp[__NEW_UTS_LEN + 1];
|
||||
|
||||
if (len < 0)
|
||||
return -EINVAL;
|
||||
@@ -1347,11 +1341,11 @@ SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)
|
||||
i = 1 + strlen(u->nodename);
|
||||
if (i > len)
|
||||
i = len;
|
||||
errno = 0;
|
||||
if (copy_to_user(name, u->nodename, i))
|
||||
errno = -EFAULT;
|
||||
memcpy(tmp, u->nodename, i);
|
||||
up_read(&uts_sem);
|
||||
return errno;
|
||||
if (copy_to_user(name, tmp, i))
|
||||
return -EFAULT;
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif
|
||||
@@ -1370,17 +1364,18 @@ SYSCALL_DEFINE2(setdomainname, char __user *, name, int, len)
|
||||
if (len < 0 || len > __NEW_UTS_LEN)
|
||||
return -EINVAL;
|
||||
|
||||
down_write(&uts_sem);
|
||||
errno = -EFAULT;
|
||||
if (!copy_from_user(tmp, name, len)) {
|
||||
struct new_utsname *u = utsname();
|
||||
struct new_utsname *u;
|
||||
|
||||
down_write(&uts_sem);
|
||||
u = utsname();
|
||||
memcpy(u->domainname, tmp, len);
|
||||
memset(u->domainname + len, 0, sizeof(u->domainname) - len);
|
||||
errno = 0;
|
||||
uts_proc_notify(UTS_PROC_DOMAINNAME);
|
||||
up_write(&uts_sem);
|
||||
}
|
||||
up_write(&uts_sem);
|
||||
return errno;
|
||||
}
|
||||
|
||||
|
||||
@@ -859,7 +859,16 @@ static ssize_t map_write(struct file *file, const char __user *buf,
|
||||
unsigned idx;
|
||||
struct uid_gid_extent extent;
|
||||
char *kbuf = NULL, *pos, *next_line;
|
||||
ssize_t ret = -EINVAL;
|
||||
ssize_t ret;
|
||||
|
||||
/* Only allow < page size writes at the beginning of the file */
|
||||
if ((*ppos != 0) || (count >= PAGE_SIZE))
|
||||
return -EINVAL;
|
||||
|
||||
/* Slurp in the user data */
|
||||
kbuf = memdup_user_nul(buf, count);
|
||||
if (IS_ERR(kbuf))
|
||||
return PTR_ERR(kbuf);
|
||||
|
||||
/*
|
||||
* The userns_state_mutex serializes all writes to any given map.
|
||||
@@ -895,19 +904,6 @@ static ssize_t map_write(struct file *file, const char __user *buf,
|
||||
if (cap_valid(cap_setid) && !file_ns_capable(file, ns, CAP_SYS_ADMIN))
|
||||
goto out;
|
||||
|
||||
/* Only allow < page size writes at the beginning of the file */
|
||||
ret = -EINVAL;
|
||||
if ((*ppos != 0) || (count >= PAGE_SIZE))
|
||||
goto out;
|
||||
|
||||
/* Slurp in the user data */
|
||||
kbuf = memdup_user_nul(buf, count);
|
||||
if (IS_ERR(kbuf)) {
|
||||
ret = PTR_ERR(kbuf);
|
||||
kbuf = NULL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* Parse the user data */
|
||||
ret = -EINVAL;
|
||||
pos = kbuf;
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
|
||||
#ifdef CONFIG_PROC_SYSCTL
|
||||
|
||||
static void *get_uts(struct ctl_table *table, int write)
|
||||
static void *get_uts(struct ctl_table *table)
|
||||
{
|
||||
char *which = table->data;
|
||||
struct uts_namespace *uts_ns;
|
||||
@@ -26,21 +26,9 @@ static void *get_uts(struct ctl_table *table, int write)
|
||||
uts_ns = current->nsproxy->uts_ns;
|
||||
which = (which - (char *)&init_uts_ns) + (char *)uts_ns;
|
||||
|
||||
if (!write)
|
||||
down_read(&uts_sem);
|
||||
else
|
||||
down_write(&uts_sem);
|
||||
return which;
|
||||
}
|
||||
|
||||
static void put_uts(struct ctl_table *table, int write, void *which)
|
||||
{
|
||||
if (!write)
|
||||
up_read(&uts_sem);
|
||||
else
|
||||
up_write(&uts_sem);
|
||||
}
|
||||
|
||||
/*
|
||||
* Special case of dostring for the UTS structure. This has locks
|
||||
* to observe. Should this be in kernel/sys.c ????
|
||||
@@ -50,13 +38,34 @@ static int proc_do_uts_string(struct ctl_table *table, int write,
|
||||
{
|
||||
struct ctl_table uts_table;
|
||||
int r;
|
||||
memcpy(&uts_table, table, sizeof(uts_table));
|
||||
uts_table.data = get_uts(table, write);
|
||||
r = proc_dostring(&uts_table, write, buffer, lenp, ppos);
|
||||
put_uts(table, write, uts_table.data);
|
||||
char tmp_data[__NEW_UTS_LEN + 1];
|
||||
|
||||
if (write)
|
||||
memcpy(&uts_table, table, sizeof(uts_table));
|
||||
uts_table.data = tmp_data;
|
||||
|
||||
/*
|
||||
* Buffer the value in tmp_data so that proc_dostring() can be called
|
||||
* without holding any locks.
|
||||
* We also need to read the original value in the write==1 case to
|
||||
* support partial writes.
|
||||
*/
|
||||
down_read(&uts_sem);
|
||||
memcpy(tmp_data, get_uts(table), sizeof(tmp_data));
|
||||
up_read(&uts_sem);
|
||||
r = proc_dostring(&uts_table, write, buffer, lenp, ppos);
|
||||
|
||||
if (write) {
|
||||
/*
|
||||
* Write back the new value.
|
||||
* Note that, since we dropped uts_sem, the result can
|
||||
* theoretically be incorrect if there are two parallel writes
|
||||
* at non-zero offsets to the same sysctl.
|
||||
*/
|
||||
down_write(&uts_sem);
|
||||
memcpy(get_uts(table), tmp_data, sizeof(tmp_data));
|
||||
up_write(&uts_sem);
|
||||
proc_sys_poll_notify(table->poll);
|
||||
}
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user