• Jann Horn's avatar
    userns: also map extents in the reverse map to kernel IDs · d2f007db
    Jann Horn authored
    The current logic first clones the extent array and sorts both copies, then
    maps the lower IDs of the forward mapping into the lower namespace, but
    doesn't map the lower IDs of the reverse mapping.
    
    This means that code in a nested user namespace with >5 extents will see
    incorrect IDs. It also breaks some access checks, like
    inode_owner_or_capable() and privileged_wrt_inode_uidgid(), so a process
    can incorrectly appear to be capable relative to an inode.
    
    To fix it, we have to make sure that the "lower_first" members of extents
    in both arrays are translated; and we have to make sure that the reverse
    map is sorted *after* the translation (since otherwise the translation can
    break the sorting).
    
    This is CVE-2018-18955.
    
    Fixes: 6397fac4 ("userns: bump idmap limits to 340")
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarJann Horn <jannh@google.com>
    Tested-by: default avatarEric W. Biederman <ebiederm@xmission.com>
    Reviewed-by: default avatarEric W. Biederman <ebiederm@xmission.com>
    Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
    d2f007db
user_namespace.c 33.4 KB