review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Jann Horn <jannh@google.com>
	Mon, 5 Nov 2018 19:55:09 +0000 (20:55 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 13 Nov 2018 19:09:00 +0000 (11:09 -0800)
commit	9a7a80fb02cc7515b273dbb4249374d6e6a35b70
tree	39873f45578a381a2d38daf715cf8cae7c7e8e45	tree \| snapshot
parent	13794b24ef4eac7951018630b0434d24b7a2f808	commit \| diff

userns: also map extents in the reverse map to kernel IDs

commit d2f007dbe7e4c9583eea6eb04d60001e85c6f1bd upstream.

The current logic first clones the extent array and sorts both copies, then
maps the lower IDs of the forward mapping into the lower namespace, but
doesn't map the lower IDs of the reverse mapping.

This means that code in a nested user namespace with >5 extents will see
incorrect IDs. It also breaks some access checks, like
inode_owner_or_capable() and privileged_wrt_inode_uidgid(), so a process
can incorrectly appear to be capable relative to an inode.

To fix it, we have to make sure that the "lower_first" members of extents
in both arrays are translated; and we have to make sure that the reverse
map is sorted *after* the translation (since otherwise the translation can
break the sorting).

This is CVE-2018-18955.

Fixes: 6397fac4915a ("userns: bump idmap limits to 340")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Tested-by: Eric W. Biederman <ebiederm@xmission.com>
Reviewed-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>