Re: [PATCH] signal: fix overflow_uid signal sender

From: Jann Horn
Date: Wed Nov 02 2016 - 13:25:04 EST


On Wed, Nov 02, 2016 at 07:16:41PM +0100, Oleg Nesterov wrote:
> On 10/31, Jann Horn wrote:
> >
> > static inline void userns_fixup_signal_uid(struct siginfo *info, struct task_struct *t)
> > {
> > - if (current_user_ns() == task_cred_xxx(t, user_ns))
> > + if (&init_user_ns == task_cred_xxx(t, user_ns))
> > return;
> >
> > if (SI_FROMKERNEL(info))
> > @@ -959,7 +959,7 @@ static inline void userns_fixup_signal_uid(struct siginfo *info, struct task_str
> >
> > rcu_read_lock();
> > info->si_uid = from_kuid_munged(task_cred_xxx(t, user_ns),
> > - make_kuid(current_user_ns(), info->si_uid));
> > + make_kuid(&init_user_ns, info->si_uid));
> > rcu_read_unlock();
> > }
> > #else
> > @@ -1027,7 +1027,8 @@ static int __send_signal(int sig, struct siginfo *info, struct task_struct *t,
> > q->info.si_code = SI_USER;
> > q->info.si_pid = task_tgid_nr_ns(current,
> > task_active_pid_ns(t));
> > - q->info.si_uid = from_kuid_munged(current_user_ns(), current_uid());
> > + q->info.si_uid = from_kuid(&init_user_ns,
> > + current_uid());
>
> Looks good to me at first glance, but I think this needs an ack from Eric.
>
> I have to admit that I forgot how uid_map/etc actually works, I can't
> even recall if from_kuid(init_user_ns, xxx) == __kuid_val(xxx) or not,
> although this doesn't really matter.

Yes, from_kuid(&init_user_ns, xxx) == __kuid_val(xxx). For values from 0
to 0xfffffffe, the uid_map of init_user_ns is an identity map (and it
can't be changed), and for 0xffffffff, which isn't mapped, it returns
0xffffffff to denote failure.

Attachment: signature.asc
Description: Digital signature