[linux-yocto] [PATCH 36/46] ucount: Make get_ucount a safe get_user replacement

Mon, 15 May 2023 00:36:57 -0700 

From: "Eric W. Biederman" <ebied...@xmission.com>

commit 61956630e41032f05c1e95e85f715c8f317304b1 from
https://github.com/altera-opensource/linux-socfpga.git

[upstream commit f9d87929d451d3e649699d0f1d74f71f77ad38f5]

When the ucount code was refactored to create get_ucount it was missed
that some of the contexts in which a rlimit is kept elevated can be
the only reference to the user/ucount in the system.

Ordinary ucount references exist in places that also have a reference
to the user namspace, but in POSIX message queues, the SysV shm code,
and the SIGPENDING code there is no independent user namespace
reference.

Inspection of the the user_namespace show no instance of circular
references between struct ucounts and the user_namespace.  So
hold a reference from struct ucount to i's user_namespace to
resolve this problem.

Link: https://lore.kernel.org/lkml/yzv7z+yxbsx9p...@fixkernel.com/
Reported-by: Qian Cai <quic_qian...@quicinc.com>
Reported-by: Mathias Krause <mini...@grsecurity.net>
Tested-by: Mathias Krause <mini...@grsecurity.net>
Reviewed-by: Mathias Krause <mini...@grsecurity.net>
Reviewed-by: Alexey Gladkov <leg...@kernel.org>
Fixes: d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts")
Fixes: 6e52a9f0532f ("Reimplement RLIMIT_MSGQUEUE on top of ucounts")
Fixes: d7c9e99aee48 ("Reimplement RLIMIT_MEMLOCK on top of ucounts")
Cc: sta...@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com>
Signed-off-by: Wenlin Kang <wenlin.k...@windriver.com>
---
 kernel/ucount.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/ucount.c b/kernel/ucount.c
index 11b1596e2542..e0d095ef8a52 100644
--- a/kernel/ucount.c
+++ b/kernel/ucount.c
@@ -150,6 +150,7 @@ static struct ucounts *get_ucounts(struct user_namespace 
*ns, kuid_t uid)
                } else {
                        hlist_add_head(&new->node, hashent);
                        ucounts = new;
+                       get_user_ns(new->ns);
                }
        }
        if (ucounts->count == INT_MAX)
@@ -173,6 +174,7 @@ static void put_ucounts(struct ucounts *ucounts)
        spin_unlock_irqrestore(&ucounts_lock, flags);
 
        kfree(ucounts);
+       put_user_ns(ucounts->ns);
 }
 
 static inline bool atomic_inc_below(atomic_t *v, int u)
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12538): 
https://lists.yoctoproject.org/g/linux-yocto/message/12538
Mute This Topic: https://lists.yoctoproject.org/mt/98898779/21656
Group Owner: linux-yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to