From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Miklos Szeredi <mszeredi@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Sasha Levin <sashal@kernel.org>,
linux-security-module@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 12/36] cap: fix conversions on getxattr
Date: Mon, 8 Feb 2021 12:57:42 -0500 [thread overview]
Message-ID: <20210208175806.2091668-12-sashal@kernel.org> (raw)
In-Reply-To: <20210208175806.2091668-1-sashal@kernel.org>
From: Miklos Szeredi <mszeredi@redhat.com>
[ Upstream commit f2b00be488730522d0fb7a8a5de663febdcefe0a ]
If a capability is stored on disk in v2 format cap_inode_getsecurity() will
currently return in v2 format unconditionally.
This is wrong: v2 cap should be equivalent to a v3 cap with zero rootid,
and so the same conversions performed on it.
If the rootid cannot be mapped, v3 is returned unconverted. Fix this so
that both v2 and v3 return -EOVERFLOW if the rootid (or the owner of the fs
user namespace in case of v2) cannot be mapped into the current user
namespace.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/commoncap.c | 67 ++++++++++++++++++++++++++++----------------
1 file changed, 43 insertions(+), 24 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index 59bf3c1674c8b..a6c9bb4441d54 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -371,10 +371,11 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
{
int size, ret;
kuid_t kroot;
+ u32 nsmagic, magic;
uid_t root, mappedroot;
char *tmpbuf = NULL;
struct vfs_cap_data *cap;
- struct vfs_ns_cap_data *nscap;
+ struct vfs_ns_cap_data *nscap = NULL;
struct dentry *dentry;
struct user_namespace *fs_ns;
@@ -396,46 +397,61 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
fs_ns = inode->i_sb->s_user_ns;
cap = (struct vfs_cap_data *) tmpbuf;
if (is_v2header((size_t) ret, cap)) {
- /* If this is sizeof(vfs_cap_data) then we're ok with the
- * on-disk value, so return that. */
- if (alloc)
- *buffer = tmpbuf;
- else
- kfree(tmpbuf);
- return ret;
- } else if (!is_v3header((size_t) ret, cap)) {
- kfree(tmpbuf);
- return -EINVAL;
+ root = 0;
+ } else if (is_v3header((size_t) ret, cap)) {
+ nscap = (struct vfs_ns_cap_data *) tmpbuf;
+ root = le32_to_cpu(nscap->rootid);
+ } else {
+ size = -EINVAL;
+ goto out_free;
}
- nscap = (struct vfs_ns_cap_data *) tmpbuf;
- root = le32_to_cpu(nscap->rootid);
kroot = make_kuid(fs_ns, root);
/* If the root kuid maps to a valid uid in current ns, then return
* this as a nscap. */
mappedroot = from_kuid(current_user_ns(), kroot);
if (mappedroot != (uid_t)-1 && mappedroot != (uid_t)0) {
+ size = sizeof(struct vfs_ns_cap_data);
if (alloc) {
- *buffer = tmpbuf;
+ if (!nscap) {
+ /* v2 -> v3 conversion */
+ nscap = kzalloc(size, GFP_ATOMIC);
+ if (!nscap) {
+ size = -ENOMEM;
+ goto out_free;
+ }
+ nsmagic = VFS_CAP_REVISION_3;
+ magic = le32_to_cpu(cap->magic_etc);
+ if (magic & VFS_CAP_FLAGS_EFFECTIVE)
+ nsmagic |= VFS_CAP_FLAGS_EFFECTIVE;
+ memcpy(&nscap->data, &cap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
+ nscap->magic_etc = cpu_to_le32(nsmagic);
+ } else {
+ /* use allocated v3 buffer */
+ tmpbuf = NULL;
+ }
nscap->rootid = cpu_to_le32(mappedroot);
- } else
- kfree(tmpbuf);
- return size;
+ *buffer = nscap;
+ }
+ goto out_free;
}
if (!rootid_owns_currentns(kroot)) {
- kfree(tmpbuf);
- return -EOPNOTSUPP;
+ size = -EOVERFLOW;
+ goto out_free;
}
/* This comes from a parent namespace. Return as a v2 capability */
size = sizeof(struct vfs_cap_data);
if (alloc) {
- *buffer = kmalloc(size, GFP_ATOMIC);
- if (*buffer) {
- struct vfs_cap_data *cap = *buffer;
- __le32 nsmagic, magic;
+ if (nscap) {
+ /* v3 -> v2 conversion */
+ cap = kzalloc(size, GFP_ATOMIC);
+ if (!cap) {
+ size = -ENOMEM;
+ goto out_free;
+ }
magic = VFS_CAP_REVISION_2;
nsmagic = le32_to_cpu(nscap->magic_etc);
if (nsmagic & VFS_CAP_FLAGS_EFFECTIVE)
@@ -443,9 +459,12 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
memcpy(&cap->data, &nscap->data, sizeof(__le32) * 2 * VFS_CAP_U32);
cap->magic_etc = cpu_to_le32(magic);
} else {
- size = -ENOMEM;
+ /* use unconverted v2 */
+ tmpbuf = NULL;
}
+ *buffer = cap;
}
+out_free:
kfree(tmpbuf);
return size;
}
--
2.27.0
next prev parent reply other threads:[~2021-02-08 19:21 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-08 17:57 [PATCH AUTOSEL 5.10 01/36] soc: ti: omap-prm: Fix boot time errors for rst_map_012 bits 0 and 1 Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 02/36] arm64: dts: rockchip: Fix PCIe DT properties on rk3399 Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 03/36] Input: goodix - add support for Goodix GT9286 chip Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 04/36] arm64: dts: qcom: sdm845: Reserve LPASS clocks in gcc Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 05/36] ARM: OMAP2+: Fix suspcious RCU usage splats for omap_enter_idle_coupled Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 06/36] arm64: dts: rockchip: remove interrupt-names property from rk3399 vdec node Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 07/36] kbuild: simplify GCC_PLUGINS enablement in dummy-tools/gcc Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 08/36] Input: xpad - sync supported devices with fork on GitHub Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 09/36] platform/x86: hp-wmi: Disable tablet-mode reporting by default Sasha Levin
2021-02-10 23:22 ` mark gross
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 10/36] arm64: dts: rockchip: Disable display for NanoPi R2S Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 11/36] ovl: perform vfs_getxattr() with mounter creds Sasha Levin
2021-02-08 17:57 ` Sasha Levin [this message]
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 13/36] ovl: skip getxattr of security labels Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 14/36] media: rkisp1: uapi: change hist_bins array type from __u16 to __u32 Sasha Levin
2021-02-08 20:46 ` Hans Verkuil
2021-02-09 12:45 ` Dafna Hirschfeld
2021-02-09 13:02 ` Greg Kroah-Hartman
2021-02-09 13:39 ` Hans Verkuil
2021-02-09 13:44 ` Greg Kroah-Hartman
2021-02-10 15:33 ` Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 15/36] media: rkisp1: stats: remove a wrong cast to u8 Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 16/36] media: rkisp1: stats: mask the hist_bins values Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 17/36] scsi: lpfc: Fix EEH encountering oops with NVMe traffic Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 18/36] x86/split_lock: Enable the split lock feature on another Alder Lake CPU Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 19/36] nvme-pci: ignore the subsysem NQN on Phison E16 Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 20/36] drm/amd/display: Fix DPCD translation for LTTPR AUX_RD_INTERVAL Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 21/36] drm/amd/display: Add more Clock Sources to DCN2.1 Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 22/36] drm/amd/display: Release DSC before acquiring Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 23/36] drm/amd/display: Fix dc_sink kref count in emulated_link_detect Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 24/36] drm/amd/display: Free atomic state after drm_atomic_commit Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 25/36] drm/amd/display: Decrement refcount of dc_sink before reassignment Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 26/36] riscv: virt_addr_valid must check the address belongs to linear mapping Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 27/36] bfq-iosched: Revert "bfq: Fix computation of shallow depth" Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 28/36] ARM: dts: lpc32xx: Revert set default clock rate of HCLK PLL Sasha Levin
2021-02-08 17:57 ` [PATCH AUTOSEL 5.10 29/36] kallsyms: fix nonconverging kallsyms table with lld Sasha Levin
2021-02-08 17:58 ` [PATCH AUTOSEL 5.10 30/36] ARM: ensure the signal page contains defined contents Sasha Levin
2021-02-08 17:58 ` [PATCH AUTOSEL 5.10 31/36] ARM: kexec: fix oops after TLB are invalidated Sasha Levin
2021-02-08 17:58 ` [PATCH AUTOSEL 5.10 32/36] init/gcov: allow CONFIG_CONSTRUCTORS on UML to fix module gcov Sasha Levin
2021-02-08 17:58 ` [PATCH AUTOSEL 5.10 33/36] kasan: add explicit preconditions to kasan_report() Sasha Levin
2021-02-08 17:58 ` [PATCH AUTOSEL 5.10 34/36] ubsan: implement __ubsan_handle_alignment_assumption Sasha Levin
2021-02-08 17:58 ` [PATCH AUTOSEL 5.10 35/36] Revert "lib: Restrict cpumask_local_spread to houskeeping CPUs" Sasha Levin
2021-02-08 17:58 ` [PATCH AUTOSEL 5.10 36/36] x86/efi: Remove EFI PGD build time checks Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210208175806.2091668-12-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mszeredi@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).