From patchwork Wed Oct 17 04:17:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Po-Hsu Lin X-Patchwork-Id: 985092 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42Zf7l0l93z9sBj; Wed, 17 Oct 2018 15:18:59 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1gCdIG-0004Su-FK; Wed, 17 Oct 2018 04:18:48 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1gCdIE-0004Sc-Mt for kernel-team@lists.ubuntu.com; Wed, 17 Oct 2018 04:18:46 +0000 Received: from mail-pg1-f200.google.com ([209.85.215.200]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1gCdHO-0002DF-Iu for kernel-team@lists.ubuntu.com; Wed, 17 Oct 2018 04:17:54 +0000 Received: by mail-pg1-f200.google.com with SMTP id r134-v6so13991933pgr.19 for ; Tue, 16 Oct 2018 21:17:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=90Xs33kt9VTKhU2f8Iti6r8+FPVoruTnT4EWSgBSuPQ=; b=PH4/P0FN3N3Lb/gxdL4DLCLUZ81snguSp0vpPAbByin3bo0dAVwX67PlhRPSoOdu31 wjuCyhr0zYRA5f6gX+ci1qB3U6hBO2WF7UiChxbO7yPUnM7tNo9FomOWRfsTofsWrO98 YRr8Q4Kt5lzpufddd/FZti8XThCIvO4bFElkntP5WcWFtb5tRI8A6jFoozFFC9rYzuaw zVLhux+e+4pm/f7Vv7wS4dXKfPwAYAQBsz61pNtD5+ExRzvlIMq7S+X2NqyZrqj+WCSz r09J6WDZv74wU0dO1W/Yi3BEnRxPHXR6fjlWKC0db/Tvj8aHiGvcgAhVrAFbFfwwAPSo qUbw== X-Gm-Message-State: ABuFfohsFF6R2sdNJs+FZPVGxZUsdQwgu/bqk/F7cvujCHSH12+UfTZQ H5cxWgb7cJxkLVM/AlU0FPsWbCLEGBqiolj89WSLxzQ6eQ0CHA0DSusG/zH+RR2xl4qkxtC6Mn2 1LiCEtoEEVRcz5TvP8nssCV7ANJGEOW3Lo5BAyBwn X-Received: by 2002:a63:f848:: with SMTP id v8-v6mr22628421pgj.82.1539749872670; Tue, 16 Oct 2018 21:17:52 -0700 (PDT) X-Google-Smtp-Source: ACcGV62+Ytk40NwmUj9XRIfvn3UJZ5cqqnOFJxhoYFVpgt6V+CbhI7pWrejoFGGI9O9Sj8XxHaOj9A== X-Received: by 2002:a63:f848:: with SMTP id v8-v6mr22628405pgj.82.1539749872433; Tue, 16 Oct 2018 21:17:52 -0700 (PDT) Received: from Leggiero.taipei.internal (61-220-137-37.HINET-IP.hinet.net. [61.220.137.37]) by smtp.gmail.com with ESMTPSA id t22-v6sm23116423pfk.141.2018.10.16.21.17.50 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Oct 2018 21:17:51 -0700 (PDT) From: Po-Hsu Lin To: kernel-team@lists.ubuntu.com Subject: [Trusty][SRU][PATCH 1/1] getxattr: use correct xattr length Date: Wed, 17 Oct 2018 12:17:44 +0800 Message-Id: <20181017041744.1232-2-po-hsu.lin@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181017041744.1232-1-po-hsu.lin@canonical.com> References: <20181017041744.1232-1-po-hsu.lin@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Christian Brauner BugLink: https://bugs.launchpad.net/bugs/1798013 When running in a container with a user namespace, if you call getxattr with name = "system.posix_acl_access" and size % 8 != 4, then getxattr silently skips the user namespace fixup that it normally does resulting in un-fixed-up data being returned. This is caused by posix_acl_fix_xattr_to_user() being passed the total buffer size and not the actual size of the xattr as returned by vfs_getxattr(). This commit passes the actual length of the xattr as returned by vfs_getxattr() down. A reproducer for the issue is: touch acl_posix setfacl -m user:0:rwx acl_posix and the compile: #define _GNU_SOURCE #include #include #include #include #include #include #include /* Run in user namespace with nsuid 0 mapped to uid != 0 on the host. */ int main(int argc, void **argv) { ssize_t ret1, ret2; char buf1[128], buf2[132]; int fret = EXIT_SUCCESS; char *file; if (argc < 2) { fprintf(stderr, "Please specify a file with " "\"system.posix_acl_access\" permissions set\n"); _exit(EXIT_FAILURE); } file = argv[1]; ret1 = getxattr(file, "system.posix_acl_access", buf1, sizeof(buf1)); if (ret1 < 0) { fprintf(stderr, "%s - Failed to retrieve " "\"system.posix_acl_access\" " "from \"%s\"\n", strerror(errno), file); _exit(EXIT_FAILURE); } ret2 = getxattr(file, "system.posix_acl_access", buf2, sizeof(buf2)); if (ret2 < 0) { fprintf(stderr, "%s - Failed to retrieve " "\"system.posix_acl_access\" " "from \"%s\"\n", strerror(errno), file); _exit(EXIT_FAILURE); } if (ret1 != ret2) { fprintf(stderr, "The value of \"system.posix_acl_" "access\" for file \"%s\" changed " "between two successive calls\n", file); _exit(EXIT_FAILURE); } for (ssize_t i = 0; i < ret2; i++) { if (buf1[i] == buf2[i]) continue; fprintf(stderr, "Unexpected different in byte %zd: " "%02x != %02x\n", i, buf1[i], buf2[i]); fret = EXIT_FAILURE; } if (fret == EXIT_SUCCESS) fprintf(stderr, "Test passed\n"); else fprintf(stderr, "Test failed\n"); _exit(fret); } and run: ./tester acl_posix On a non-fixed up kernel this should return something like: root@c1:/# ./t Unexpected different in byte 16: ffffffa0 != 00 Unexpected different in byte 17: ffffff86 != 00 Unexpected different in byte 18: 01 != 00 and on a fixed kernel: root@c1:~# ./t Test passed Cc: stable@vger.kernel.org Fixes: 2f6f0654ab61 ("userns: Convert vfs posix_acl support to use kuids and kgids") Link: https://bugzilla.kernel.org/show_bug.cgi?id=199945 Reported-by: Colin Watson Signed-off-by: Christian Brauner Acked-by: Serge Hallyn Signed-off-by: Eric W. Biederman (cherry picked from commit 82c9a927bc5df6e06b72d206d24a9d10cced4eb5) Signed-off-by: Po-Hsu Lin Acked-by: Stefan Bader Acked-by: Kleber Sacilotto de Souza Acked-by: Colin Ian King --- fs/xattr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/xattr.c b/fs/xattr.c index 3377dff..afc74ba 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -466,7 +466,7 @@ getxattr(struct dentry *d, const char __user *name, void __user *value, if (error > 0) { if ((strcmp(kname, XATTR_NAME_POSIX_ACL_ACCESS) == 0) || (strcmp(kname, XATTR_NAME_POSIX_ACL_DEFAULT) == 0)) - posix_acl_fix_xattr_to_user(kvalue, size); + posix_acl_fix_xattr_to_user(kvalue, error); if (size && copy_to_user(value, kvalue, error)) error = -EFAULT; } else if (error == -ERANGE && size >= XATTR_SIZE_MAX) {