[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <871r0rss9q.fsf@email.froward.int.ebiederm.org>
Date: Fri, 28 Jan 2022 11:07:45 -0600
From: "Eric W. Biederman" <ebiederm@...ssion.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
cc: <linux-kernel@...r.kernel.org>, Alexey Gladkov <legion@...nel.org>,
Qian Cai <quic_qiancai@...cinc.com>,
Mathias Krause <minipli@...ecurity.net>
Subject: [GIT PULL] ucount rlimit fixes for v5.17-rc2
Linus,
Please pull the ucount-rlimit-fixes-for-v5.17-rc2 branch from the git tree:
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git ucount-rlimit-fixes-for-v5.17-rc2
HEAD: f9d87929d451d3e649699d0f1d74f71f77ad38f5 ucount: Make get_ucount a safe get_user replacement
From: "Eric W. Biederman" <ebiederm@...ssion.com>
Date: Mon, 24 Jan 2022 12:46:50 -0600
Subject: [PATCH] ucount: Make get_ucount a safe get_user replacement
When the ucount code was refactored to create get_ucount it was missed
that some of the contexts in which a rlimit is kept elevated can be
the only reference to the user/ucount in the system.
Ordinary ucount references exist in places that also have a reference
to the user namspace, but in POSIX message queues, the SysV shm code,
and the SIGPENDING code there is no independent user namespace
reference.
Inspection of the the user_namespace show no instance of circular
references between struct ucounts and the user_namespace. So
hold a reference from struct ucount to it's user_namespace to
resolve this problem.
Link: https://lore.kernel.org/lkml/YZV7Z+yXbsx9p3JN@fixkernel.com/
Reported-by: Qian Cai <quic_qiancai@...cinc.com>
Reported-by: Mathias Krause <minipli@...ecurity.net>
Tested-by: Mathias Krause <minipli@...ecurity.net>
Reviewed-by: Mathias Krause <minipli@...ecurity.net>
Reviewed-by: Alexey Gladkov <legion@...nel.org>
Fixes: d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts")
Fixes: 6e52a9f0532f ("Reimplement RLIMIT_MSGQUEUE on top of ucounts")
Fixes: d7c9e99aee48 ("Reimplement RLIMIT_MEMLOCK on top of ucounts")
Cc: stable@...r.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com>
---
kernel/ucount.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/ucount.c b/kernel/ucount.c
index 7b32c356ebc5..65b597431c86 100644
--- a/kernel/ucount.c
+++ b/kernel/ucount.c
@@ -190,6 +190,7 @@ struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid)
kfree(new);
} else {
hlist_add_head(&new->node, hashent);
+ get_user_ns(new->ns);
spin_unlock_irq(&ucounts_lock);
return new;
}
@@ -210,6 +211,7 @@ void put_ucounts(struct ucounts *ucounts)
if (atomic_dec_and_lock_irqsave(&ucounts->count, &ucounts_lock, flags)) {
hlist_del_init(&ucounts->node);
spin_unlock_irqrestore(&ucounts_lock, flags);
+ put_user_ns(ucounts->ns);
kfree(ucounts);
}
}
--
2.29.2
Eric
Powered by blists - more mailing lists