Commit d2f007db authored Nov 05, 2018 by Jann Horn Committed by Eric W. Biederman Nov 07, 2018

userns: also map extents in the reverse map to kernel IDs



The current logic first clones the extent array and sorts both copies, then
maps the lower IDs of the forward mapping into the lower namespace, but
doesn't map the lower IDs of the reverse mapping.

This means that code in a nested user namespace with >5 extents will see
incorrect IDs. It also breaks some access checks, like
inode_owner_or_capable() and privileged_wrt_inode_uidgid(), so a process
can incorrectly appear to be capable relative to an inode.

To fix it, we have to make sure that the "lower_first" members of extents
in both arrays are translated; and we have to make sure that the reverse
map is sorted *after* the translation (since otherwise the translation can
break the sorting).

This is CVE-2018-18955.

Fixes: 6397fac4 ("userns: bump idmap limits to 340")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Tested-by: Eric W. Biederman <ebiederm@xmission.com>
Reviewed-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>

parent 65102238

kernel/user_namespace.c

+8 −4

Original line number	Diff line number	Diff line
		@@ -974,10 +974,6 @@ static ssize_t map_write(struct file file, const char __user buf,
		if (!new_idmap_permitted(file, ns, cap_setid, &new_map))
		goto out;

		ret = sort_idmaps(&new_map);
		if (ret < 0)
		goto out;

		ret = -EPERM;
		/* Map the lower ids from the parent user namespace to the
		* kernel global id space.
		@@ -1004,6 +1000,14 @@ static ssize_t map_write(struct file file, const char __user buf,
		e->lower_first = lower_first;
		}

		/*
		* If we want to use binary search for lookup, this clones the extent
		* array and sorts both copies.
		*/
		ret = sort_idmaps(&new_map);
		if (ret < 0)
		goto out;

		/* Install the map */
		if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) {
		memcpy(map->extent, new_map.extent,

Admin message