lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu,  9 Mar 2023 22:40:33 +0100
From:   Christian Brauner <brauner@...nel.org>
To:     Jeff Layton <jlayton@...nel.org>,
        Chuck Lever <chuck.lever@...cle.com>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        "Seth Forshee (DigitalOcean)" <sforshee@...nel.org>
Cc:     Christian Brauner <brauner@...nel.org>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] filelocks: use mount idmapping for setlease permission check

From: Christian Brauner (Microsoft) <brauner@...nel.org>


On Thu, 09 Mar 2023 14:39:09 -0600, Seth Forshee (DigitalOcean) wrote:
> A user should be allowed to take out a lease via an idmapped mount if
> the fsuid matches the mapped uid of the inode. generic_setlease() is
> checking the unmapped inode uid, causing these operations to be denied.
> 
> Fix this by comparing against the mapped inode uid instead of the
> unmapped uid.
> 
> [...]

I've added a Cc: stable@...r.kernel.org so it's clear we should backport this.
But just to note this here right away, this will likely apply cleanly on 5.15
and 6.2 but fail to compile because our internal apis changed. So I'll have to
do a custom backport for 5.15 and 6.2 once we'll get the failure report thingy
from the stable folks. But applied now,

[1/1] filelocks: use mount idmapping for setlease permission check
      commit: 42d0c4bdf753063b6eec55415003184d3ca24f6e

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ