qiurui
/
Centos-kernel-stream-9
mirror of https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ucount: Make get_ucount a safe get_user replacement 

Bugzilla: https://bugzilla.redhat.com/2049040
CVE: CVE-2022-24122
Upstream Status: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

commit f9d87929d451d3e649699d0f1d74f71f77ad38f5
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Mon Jan 24 12:46:50 2022 -0600

    ucount:  Make get_ucount a safe get_user replacement

    When the ucount code was refactored to create get_ucount it was missed
    that some of the contexts in which a rlimit is kept elevated can be
    the only reference to the user/ucount in the system.

    Ordinary ucount references exist in places that also have a reference
    to the user namspace, but in POSIX message queues, the SysV shm code,
    and the SIGPENDING code there is no independent user namespace
    reference.

    Inspection of the the user_namespace show no instance of circular
    references between struct ucounts and the user_namespace.  So
    hold a reference from struct ucount to i's user_namespace to
    resolve this problem.

    Link: https://lore.kernel.org/lkml/YZV7Z+yXbsx9p3JN@fixkernel.com/
    Reported-by: Qian Cai <quic_qiancai@quicinc.com>
    Reported-by: Mathias Krause <minipli@grsecurity.net>
    Tested-by: Mathias Krause <minipli@grsecurity.net>
    Reviewed-by: Mathias Krause <minipli@grsecurity.net>
    Reviewed-by: Alexey Gladkov <legion@kernel.org>
    Fixes: d646969055 ("Reimplement RLIMIT_SIGPENDING on top of ucounts")
    Fixes: 6e52a9f053 ("Reimplement RLIMIT_MSGQUEUE on top of ucounts")
    Fixes: d7c9e99aee ("Reimplement RLIMIT_MEMLOCK on top of ucounts")
    Cc: stable@vger.kernel.org
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

Signed-off-by: Alexey Gladkov <agladkov@redhat.com>
This commit is contained in:
Alexey Gladkov 2022-02-01 13:23:49 +01:00
parent 4e6fd67001
commit 3ad258e8a9
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
kernel/ucount.c
View File

@ -190,6 +190,7 @@ struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid)
kfree(new);
} else {
hlist_add_head(&new->node, hashent);
get_user_ns(new->ns);
spin_unlock_irq(&ucounts_lock);
return new;
}
@ -210,6 +211,7 @@ void put_ucounts(struct ucounts *ucounts)
if (atomic_dec_and_lock_irqsave(&ucounts->count, &ucounts_lock, flags)) {
hlist_del_init(&ucounts->node);
spin_unlock_irqrestore(&ucounts_lock, flags);
put_user_ns(ucounts->ns);
kfree(ucounts);
}
}