Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3467262imu; Sun, 11 Nov 2018 15:46:33 -0800 (PST) X-Google-Smtp-Source: AJdET5cV/W+ByRi9wQP6WHHcnLSeSruaUppnaGi9QK6WZ4iTUQbHkQqzQX4Liy/qodNtKKmMlgFK X-Received: by 2002:a17:902:7e4c:: with SMTP id a12-v6mr17481953pln.149.1541979993630; Sun, 11 Nov 2018 15:46:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541979993; cv=none; d=google.com; s=arc-20160816; b=GQjFXt8agQ7WeIDfkQmN9LjwZCjdbFkEcthK+ybW8ENuoHRcmLCP4wH6/OwxviLSnF FnM1LX6gPjpzMAhZsOGMmtSTx/MwDZb4/iZstVvC48L6hIGXQusvELDzzqyfiNYfmrc8 KTjMhFBT/uqD2Ewf0ajFamdbrr/9uNq6nXNya1ISh8LsZWam1as2bFt/B5G8Yh3l5Y0l HNlhwLUzYH7akblpuQ691561we6Mo8wDP5/1CMLJjMGgyZwlfxhk6P7EnbWcAkfbFapl +wxXwhJn6U+cAL6awVzHapYIsURRin2Mo5cdOij9vduW58D8MUn8W4gBy38PxDVji1QW VFfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dU4Od2A83Ns6S18H/SKyLWgl0HyD7x8oIeEX6XF1UQc=; b=sMs0TpS2TfaNgMjBacImgMlcCydVS8gAZtoGFSSc3W9jLq4wL4DvTUr9/tBonXLA3s Q5zqhASp5tZOXpKGL2fMlthiHBmeBSxwQ26nhHBWmcRY94CnIynze8Q1FjBVNyR/FuzL s2x7/9hbigKMz/PhmbOoxDGor1t4rDUsw2nCYNVS9OXWPQBJbvl8ZTnEqNxSBJQU1haE Tw4F40WcJaRjrOm9Q/qtwJ7XzK9oZI81elfD0GtshH88ccjAXyaIhdxUb8DW+xYqlfc4 jWOZbsX4ACLP2dEuz5d622nZz0YPuQjT0r0n/ZBnAwIUKnyAMDxjaCaaz8fYsB3Ra7Lq S+tw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pH67PZhH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g11-v6si13525653pgs.179.2018.11.11.15.46.18; Sun, 11 Nov 2018 15:46:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pH67PZhH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387649AbeKLJgQ (ORCPT + 99 others); Mon, 12 Nov 2018 04:36:16 -0500 Received: from mail.kernel.org ([198.145.29.99]:39838 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387398AbeKLITF (ORCPT ); Mon, 12 Nov 2018 03:19:05 -0500 Received: from localhost (unknown [206.108.79.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D961B21707; Sun, 11 Nov 2018 22:29:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541975349; bh=mlaQI9CFS8NN7nIDYVHfW2nqwPLVZWfN7f6GrLztkHE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pH67PZhHiK801jjGCm+3IsQiviwnAeUDum8d3GDKNcHGu5s0UKuQKTPE07LiADa4o gerLif/LXReuMVJ1G2GztUuQgb/1Yx1H+7gwLHULl5cf61jFXL2ptAZ7CnDVGunYmn UykexVRw6T02HrUoB3Ezadvb3PE3IQiZq8DOB+R0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , "Eric W. Biederman" Subject: [PATCH 4.19 359/361] userns: also map extents in the reverse map to kernel IDs Date: Sun, 11 Nov 2018 14:21:46 -0800 Message-Id: <20181111221702.182204786@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181111221619.915519183@linuxfoundation.org> References: <20181111221619.915519183@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jann Horn commit d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd upstream. The current logic first clones the extent array and sorts both copies, then maps the lower IDs of the forward mapping into the lower namespace, but doesn't map the lower IDs of the reverse mapping. This means that code in a nested user namespace with >5 extents will see incorrect IDs. It also breaks some access checks, like inode_owner_or_capable() and privileged_wrt_inode_uidgid(), so a process can incorrectly appear to be capable relative to an inode. To fix it, we have to make sure that the "lower_first" members of extents in both arrays are translated; and we have to make sure that the reverse map is sorted *after* the translation (since otherwise the translation can break the sorting). This is CVE-2018-18955. Fixes: 6397fac4915a ("userns: bump idmap limits to 340") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Tested-by: Eric W. Biederman Reviewed-by: Eric W. Biederman Signed-off-by: Eric W. Biederman Signed-off-by: Greg Kroah-Hartman --- kernel/user_namespace.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c @@ -974,10 +974,6 @@ static ssize_t map_write(struct file *fi if (!new_idmap_permitted(file, ns, cap_setid, &new_map)) goto out; - ret = sort_idmaps(&new_map); - if (ret < 0) - goto out; - ret = -EPERM; /* Map the lower ids from the parent user namespace to the * kernel global id space. @@ -1004,6 +1000,14 @@ static ssize_t map_write(struct file *fi e->lower_first = lower_first; } + /* + * If we want to use binary search for lookup, this clones the extent + * array and sorts both copies. + */ + ret = sort_idmaps(&new_map); + if (ret < 0) + goto out; + /* Install the map */ if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) { memcpy(map->extent, new_map.extent,