Commit 905ae01c authored by Alexey Gladkov's avatar Alexey Gladkov Committed by Eric W. Biederman
Browse files

Add a reference to ucounts for each cred 



For RLIMIT_NPROC and some other rlimits the user_struct that holds the
global limit is kept alive for the lifetime of a process by keeping it
in struct cred. Adding a pointer to ucounts in the struct cred will
allow to track RLIMIT_NPROC not only for user in the system, but for
user in the user_namespace.

Updating ucounts may require memory allocation which may fail. So, we
cannot change cred.ucounts in the commit_creds() because this function
cannot fail and it should always return 0. For this reason, we modify
cred.ucounts before calling the commit_creds().

Changelog

v6:
* Fix null-ptr-deref in is_ucounts_overlimit() detected by trinity. This
  error was caused by the fact that cred_alloc_blank() left the ucounts
  pointer empty.

Reported-by: default avatarkernel test robot <oliver.sang@intel.com>
Signed-off-by: default avatarAlexey Gladkov <legion@kernel.org>
Link: https://lkml.kernel.org/r/b37aaef28d8b9b0d757e07ba6dd27281bbe39259.1619094428.git.legion@kernel.org


Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
parent f9c82a4e

fs/exec.c

+4 −0
Original line number Diff line number Diff line
@@ -1360,6 +1360,10 @@ int begin_new_exec(struct linux_binprm * bprm) 
	WRITE_ONCE(me->self_exec_id, me->self_exec_id + 1);

	flush_signal_handlers(me, 0);



	retval = set_cred_ucounts(bprm->cred);

	if (retval < 0)

		goto out_unlock;



	/*

	 * install the new credentials for this executable

	 */

include/linux/cred.h

+2 −0
Original line number Diff line number Diff line
@@ -144,6 +144,7 @@ struct cred { 
#endif

	struct user_struct *user;	/* real user ID subscription */

	struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */

	struct ucounts *ucounts;

	struct group_info *group_info;	/* supplementary groups for euid/fsgid */

	/* RCU deletion */

	union {
@@ -170,6 +171,7 @@ extern int set_security_override_from_ctx(struct cred *, const char *); 
extern int set_create_files_as(struct cred *, struct inode *);

extern int cred_fscmp(const struct cred *, const struct cred *);

extern void __init cred_init(void);

extern int set_cred_ucounts(struct cred *);



/*

 * check for validity of credentials

include/linux/user_namespace.h

+4 −0
Original line number Diff line number Diff line
@@ -100,11 +100,15 @@ struct ucounts { 
};



extern struct user_namespace init_user_ns;

extern struct ucounts init_ucounts;



bool setup_userns_sysctls(struct user_namespace *ns);

void retire_userns_sysctls(struct user_namespace *ns);

struct ucounts *inc_ucount(struct user_namespace *ns, kuid_t uid, enum ucount_type type);

void dec_ucount(struct ucounts *ucounts, enum ucount_type type);

struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid);

struct ucounts *get_ucounts(struct ucounts *ucounts);

void put_ucounts(struct ucounts *ucounts);



#ifdef CONFIG_USER_NS

kernel/cred.c

+40 −0
Original line number Diff line number Diff line
@@ -60,6 +60,7 @@ struct cred init_cred = { 
	.user			= INIT_USER,

	.user_ns		= &init_user_ns,

	.group_info		= &init_groups,

	.ucounts		= &init_ucounts,

};



static inline void set_cred_subscribers(struct cred *cred, int n)
@@ -119,6 +120,8 @@ static void put_cred_rcu(struct rcu_head *rcu) 
	if (cred->group_info)

		put_group_info(cred->group_info);

	free_uid(cred->user);

	if (cred->ucounts)

		put_ucounts(cred->ucounts);

	put_user_ns(cred->user_ns);

	kmem_cache_free(cred_jar, cred);

}
@@ -222,6 +225,7 @@ struct cred *cred_alloc_blank(void) 
#ifdef CONFIG_DEBUG_CREDENTIALS

	new->magic = CRED_MAGIC;

#endif

	new->ucounts = get_ucounts(&init_ucounts);



	if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)

		goto error;
@@ -284,6 +288,11 @@ struct cred *prepare_creds(void) 


	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)

		goto error;



	new->ucounts = get_ucounts(new->ucounts);

	if (!new->ucounts)

		goto error;



	validate_creds(new);

	return new;
@@ -363,6 +372,8 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags) 
		ret = create_user_ns(new);

		if (ret < 0)

			goto error_put;

		if (set_cred_ucounts(new) < 0)

			goto error_put;

	}



#ifdef CONFIG_KEYS
@@ -653,6 +664,31 @@ int cred_fscmp(const struct cred *a, const struct cred *b) 
}

EXPORT_SYMBOL(cred_fscmp);



int set_cred_ucounts(struct cred *new)

{

	struct task_struct *task = current;

	const struct cred *old = task->real_cred;

	struct ucounts *old_ucounts = new->ucounts;



	if (new->user == old->user && new->user_ns == old->user_ns)

		return 0;



	/*

	 * This optimization is needed because alloc_ucounts() uses locks

	 * for table lookups.

	 */

	if (old_ucounts && old_ucounts->ns == new->user_ns && uid_eq(old_ucounts->uid, new->euid))

		return 0;



	if (!(new->ucounts = alloc_ucounts(new->user_ns, new->euid)))

		return -EAGAIN;



	if (old_ucounts)

		put_ucounts(old_ucounts);



	return 0;

}



/*

 * initialise the credentials stuff

 */
@@ -719,6 +755,10 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon) 
	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)

		goto error;



	new->ucounts = get_ucounts(new->ucounts);

	if (!new->ucounts)

		goto error;



	put_cred(old);

	validate_creds(new);

	return new;

kernel/fork.c

+6 −0
Original line number Diff line number Diff line
@@ -2995,6 +2995,12 @@ int ksys_unshare(unsigned long unshare_flags) 
	if (err)

		goto bad_unshare_cleanup_cred;



	if (new_cred) {

		err = set_cred_ucounts(new_cred);

		if (err)

			goto bad_unshare_cleanup_cred;

	}



	if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {

		if (do_sysvsem) {

			/*