All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Colin Watson <cjwatson@ubuntu.com>,
	Christian Brauner <christian@brauner.io>,
	Serge Hallyn <serge@hallyn.com>,
	"Eric W. Biederman" <ebiederm@xmission.com>
Subject: [PATCH 3.18 28/29] getxattr: use correct xattr length
Date: Fri,  7 Sep 2018 23:10:49 +0200	[thread overview]
Message-ID: <20180907210911.364844106@linuxfoundation.org> (raw)
In-Reply-To: <20180907210909.523240901@linuxfoundation.org>

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christian Brauner <christian@brauner.io>

commit 82c9a927bc5df6e06b72d206d24a9d10cced4eb5 upstream.

When running in a container with a user namespace, if you call getxattr
with name = "system.posix_acl_access" and size % 8 != 4, then getxattr
silently skips the user namespace fixup that it normally does resulting in
un-fixed-up data being returned.
This is caused by posix_acl_fix_xattr_to_user() being passed the total
buffer size and not the actual size of the xattr as returned by
vfs_getxattr().
This commit passes the actual length of the xattr as returned by
vfs_getxattr() down.

A reproducer for the issue is:

  touch acl_posix

  setfacl -m user:0:rwx acl_posix

and the compile:

  #define _GNU_SOURCE
  #include <errno.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <sys/types.h>
  #include <unistd.h>
  #include <attr/xattr.h>

  /* Run in user namespace with nsuid 0 mapped to uid != 0 on the host. */
  int main(int argc, void **argv)
  {
          ssize_t ret1, ret2;
          char buf1[128], buf2[132];
          int fret = EXIT_SUCCESS;
          char *file;

          if (argc < 2) {
                  fprintf(stderr,
                          "Please specify a file with "
                          "\"system.posix_acl_access\" permissions set\n");
                  _exit(EXIT_FAILURE);
          }
          file = argv[1];

          ret1 = getxattr(file, "system.posix_acl_access",
                          buf1, sizeof(buf1));
          if (ret1 < 0) {
                  fprintf(stderr, "%s - Failed to retrieve "
                                  "\"system.posix_acl_access\" "
                                  "from \"%s\"\n", strerror(errno), file);
                  _exit(EXIT_FAILURE);
          }

          ret2 = getxattr(file, "system.posix_acl_access",
                          buf2, sizeof(buf2));
          if (ret2 < 0) {
                  fprintf(stderr, "%s - Failed to retrieve "
                                  "\"system.posix_acl_access\" "
                                  "from \"%s\"\n", strerror(errno), file);
                  _exit(EXIT_FAILURE);
          }

          if (ret1 != ret2) {
                  fprintf(stderr, "The value of \"system.posix_acl_"
                                  "access\" for file \"%s\" changed "
                                  "between two successive calls\n", file);
                  _exit(EXIT_FAILURE);
          }

          for (ssize_t i = 0; i < ret2; i++) {
                  if (buf1[i] == buf2[i])
                          continue;

                  fprintf(stderr,
                          "Unexpected different in byte %zd: "
                          "%02x != %02x\n", i, buf1[i], buf2[i]);
                  fret = EXIT_FAILURE;
          }

          if (fret == EXIT_SUCCESS)
                  fprintf(stderr, "Test passed\n");
          else
                  fprintf(stderr, "Test failed\n");

          _exit(fret);
  }
and run:

  ./tester acl_posix

On a non-fixed up kernel this should return something like:

  root@c1:/# ./t
  Unexpected different in byte 16: ffffffa0 != 00
  Unexpected different in byte 17: ffffff86 != 00
  Unexpected different in byte 18: 01 != 00

and on a fixed kernel:

  root@c1:~# ./t
  Test passed

Cc: stable@vger.kernel.org
Fixes: 2f6f0654ab61 ("userns: Convert vfs posix_acl support to use kuids and kgids")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=199945
Reported-by: Colin Watson <cjwatson@ubuntu.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/xattr.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -455,7 +455,7 @@ getxattr(struct dentry *d, const char __
 	if (error > 0) {
 		if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) ||
 		    (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0))
-			posix_acl_fix_xattr_to_user(kvalue, size);
+			posix_acl_fix_xattr_to_user(kvalue, error);
 		if (size && copy_to_user(value, kvalue, error))
 			error = -EFAULT;
 	} else if (error == -ERANGE && size >= XATTR_SIZE_MAX) {



  parent reply	other threads:[~2018-09-07 21:44 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-07 21:10 [PATCH 3.18 00/29] 3.18.122-stable review Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 01/29] spi: davinci: fix a NULL pointer dereference Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 02/29] powerpc/fadump: handle crash memory ranges array index overflow Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 03/29] powerpc/pseries: Fix endianness while restoring of r3 in MCE handler Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 04/29] 9p/virtio: fix off-by-one error in sg list bounds check Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 05/29] net/9p/client.c: version pointer uninitialized Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 06/29] net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 07/29] dm cache metadata: save in-core policy_hint_size to on-disk superblock Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 08/29] iio: ad9523: Fix displayed phase Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 09/29] iio: ad9523: Fix return value for ad952x_store() Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 10/29] tracing: Do not call start/stop() functions when tracing_on does not change Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 11/29] tracing/blktrace: Fix to allow setting same value Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 12/29] kthread, tracing: Dont expose half-written comm when creating kthreads Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 13/29] uprobes: Use synchronize_rcu() not synchronize_sched() Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 14/29] 9p: fix multiple NULL-pointer-dereferences Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 15/29] pnfs/blocklayout: off by one in bl_map_stripe() Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 16/29] ARM: tegra: Fix Tegra30 Cardhu PCA954x reset Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 17/29] mm/tlb: Remove tlb_remove_table() non-concurrent condition Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 18/29] osf_getdomainname(): use copy_to_user() Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 19/29] sys: dont hold uts_sem while accessing userspace memory Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 20/29] userns; Correct the comment in map_write Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 21/29] userns: move user access out of the mutex Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 22/29] ubifs: Fix memory leak in lprobs self-check Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 23/29] Revert "UBIFS: Fix potential integer overflow in allocation" Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 24/29] ubifs: Fix synced_i_size calculation for xattr inodes Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 25/29] pwm: tiehrpwm: Fix disabling of output of PWMs Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 26/29] fb: fix lost console when the user unplugs a USB adapter Greg Kroah-Hartman
2018-09-07 21:10 ` [PATCH 3.18 27/29] udlfb: set optimal write delay Greg Kroah-Hartman
2018-09-07 21:10 ` Greg Kroah-Hartman [this message]
2018-09-07 21:10 ` [PATCH 3.18 29/29] bcache: release dc->writeback_lock properly in bch_writeback_thread() Greg Kroah-Hartman
2018-09-07 22:41 ` [PATCH 3.18 00/29] 3.18.122-stable review Nathan Chancellor
2018-09-08  5:23 ` Harsh 'Shandilya
2018-09-08  8:29   ` Greg Kroah-Hartman
2018-09-08 14:01 ` Guenter Roeck
2018-09-08 21:12 ` Guenter Roeck
2018-09-09  9:28   ` Greg Kroah-Hartman
2018-09-09 15:51     ` Guenter Roeck
2018-09-10 15:00 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180907210911.364844106@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=christian@brauner.io \
    --cc=cjwatson@ubuntu.com \
    --cc=ebiederm@xmission.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=serge@hallyn.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.