sys: don't hold uts_sem while accessing userspace memory

Holding uts_sem as a writer while accessing userspace memory allows a
namespace admin to stall all processes that attempt to take uts_sem.
Instead, move data through stack buffers and don't access userspace memory
while uts_sem is held.

Cc: stable@vger.kernel.org
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
Jann Horn 2018-06-25 18:34:10 +02:00 committed by Eric W. Biederman
parent 5820f140ed
commit 42a0cc3478
5 changed files with 121 additions and 112 deletions

View file

@ -530,24 +530,19 @@ SYSCALL_DEFINE4(osf_mount, unsigned long, typenr, const char __user *, path,
SYSCALL_DEFINE1(osf_utsname, char __user *, name) SYSCALL_DEFINE1(osf_utsname, char __user *, name)
{ {
int error; int error;
char tmp[5 * 32];
down_read(&uts_sem); down_read(&uts_sem);
error = -EFAULT; memcpy(tmp + 0 * 32, utsname()->sysname, 32);
if (copy_to_user(name + 0, utsname()->sysname, 32)) memcpy(tmp + 1 * 32, utsname()->nodename, 32);
goto out; memcpy(tmp + 2 * 32, utsname()->release, 32);
if (copy_to_user(name + 32, utsname()->nodename, 32)) memcpy(tmp + 3 * 32, utsname()->version, 32);
goto out; memcpy(tmp + 4 * 32, utsname()->machine, 32);
if (copy_to_user(name + 64, utsname()->release, 32)) up_read(&uts_sem);
goto out;
if (copy_to_user(name + 96, utsname()->version, 32))
goto out;
if (copy_to_user(name + 128, utsname()->machine, 32))
goto out;
error = 0; if (copy_to_user(name, tmp, sizeof(tmp)))
out: return -EFAULT;
up_read(&uts_sem); return 0;
return error;
} }
SYSCALL_DEFINE0(getpagesize) SYSCALL_DEFINE0(getpagesize)
@ -567,18 +562,21 @@ SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen)
{ {
int len, err = 0; int len, err = 0;
char *kname; char *kname;
char tmp[32];
if (namelen > 32) if (namelen < 0 || namelen > 32)
namelen = 32; namelen = 32;
down_read(&uts_sem); down_read(&uts_sem);
kname = utsname()->domainname; kname = utsname()->domainname;
len = strnlen(kname, namelen); len = strnlen(kname, namelen);
if (copy_to_user(name, kname, min(len + 1, namelen))) len = min(len + 1, namelen);
err = -EFAULT; memcpy(tmp, kname, len);
up_read(&uts_sem); up_read(&uts_sem);
return err; if (copy_to_user(name, tmp, len))
return -EFAULT;
return 0;
} }
/* /*
@ -739,13 +737,14 @@ SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)
}; };
unsigned long offset; unsigned long offset;
const char *res; const char *res;
long len, err = -EINVAL; long len;
char tmp[__NEW_UTS_LEN + 1];
offset = command-1; offset = command-1;
if (offset >= ARRAY_SIZE(sysinfo_table)) { if (offset >= ARRAY_SIZE(sysinfo_table)) {
/* Digital UNIX has a few unpublished interfaces here */ /* Digital UNIX has a few unpublished interfaces here */
printk("sysinfo(%d)", command); printk("sysinfo(%d)", command);
goto out; return -EINVAL;
} }
down_read(&uts_sem); down_read(&uts_sem);
@ -753,13 +752,11 @@ SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count)
len = strlen(res)+1; len = strlen(res)+1;
if ((unsigned long)len > (unsigned long)count) if ((unsigned long)len > (unsigned long)count)
len = count; len = count;
if (copy_to_user(buf, res, len)) memcpy(tmp, res, len);
err = -EFAULT;
else
err = 0;
up_read(&uts_sem); up_read(&uts_sem);
out: if (copy_to_user(buf, tmp, len))
return err; return -EFAULT;
return 0;
} }
SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer, SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer,

View file

@ -197,23 +197,27 @@ SYSCALL_DEFINE5(rt_sigaction, int, sig,
SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len) SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len)
{ {
int nlen, err; int nlen, err;
char tmp[__NEW_UTS_LEN + 1];
if (len < 0) if (len < 0)
return -EINVAL; return -EINVAL;
down_read(&uts_sem); down_read(&uts_sem);
nlen = strlen(utsname()->domainname) + 1; nlen = strlen(utsname()->domainname) + 1;
err = -EINVAL; err = -EINVAL;
if (nlen > len) if (nlen > len)
goto out; goto out_unlock;
memcpy(tmp, utsname()->domainname, nlen);
err = -EFAULT; up_read(&uts_sem);
if (!copy_to_user(name, utsname()->domainname, nlen))
err = 0;
out: if (copy_to_user(name, tmp, nlen))
return -EFAULT;
return 0;
out_unlock:
up_read(&uts_sem); up_read(&uts_sem);
return err; return err;
} }

View file

@ -519,23 +519,27 @@ asmlinkage void sparc_breakpoint(struct pt_regs *regs)
SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len) SYSCALL_DEFINE2(getdomainname, char __user *, name, int, len)
{ {
int nlen, err; int nlen, err;
char tmp[__NEW_UTS_LEN + 1];
if (len < 0) if (len < 0)
return -EINVAL; return -EINVAL;
down_read(&uts_sem); down_read(&uts_sem);
nlen = strlen(utsname()->domainname) + 1; nlen = strlen(utsname()->domainname) + 1;
err = -EINVAL; err = -EINVAL;
if (nlen > len) if (nlen > len)
goto out; goto out_unlock;
memcpy(tmp, utsname()->domainname, nlen);
err = -EFAULT; up_read(&uts_sem);
if (!copy_to_user(name, utsname()->domainname, nlen))
err = 0;
out: if (copy_to_user(name, tmp, nlen))
return -EFAULT;
return 0;
out_unlock:
up_read(&uts_sem); up_read(&uts_sem);
return err; return err;
} }

View file

@ -1237,18 +1237,19 @@ static int override_release(char __user *release, size_t len)
SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name) SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)
{ {
int errno = 0; struct new_utsname tmp;
down_read(&uts_sem); down_read(&uts_sem);
if (copy_to_user(name, utsname(), sizeof *name)) memcpy(&tmp, utsname(), sizeof(tmp));
errno = -EFAULT;
up_read(&uts_sem); up_read(&uts_sem);
if (copy_to_user(name, &tmp, sizeof(tmp)))
return -EFAULT;
if (!errno && override_release(name->release, sizeof(name->release))) if (override_release(name->release, sizeof(name->release)))
errno = -EFAULT; return -EFAULT;
if (!errno && override_architecture(name)) if (override_architecture(name))
errno = -EFAULT; return -EFAULT;
return errno; return 0;
} }
#ifdef __ARCH_WANT_SYS_OLD_UNAME #ifdef __ARCH_WANT_SYS_OLD_UNAME
@ -1257,55 +1258,46 @@ SYSCALL_DEFINE1(newuname, struct new_utsname __user *, name)
*/ */
SYSCALL_DEFINE1(uname, struct old_utsname __user *, name) SYSCALL_DEFINE1(uname, struct old_utsname __user *, name)
{ {
int error = 0; struct old_utsname tmp;
if (!name) if (!name)
return -EFAULT; return -EFAULT;
down_read(&uts_sem); down_read(&uts_sem);
if (copy_to_user(name, utsname(), sizeof(*name))) memcpy(&tmp, utsname(), sizeof(tmp));
error = -EFAULT;
up_read(&uts_sem); up_read(&uts_sem);
if (copy_to_user(name, &tmp, sizeof(tmp)))
return -EFAULT;
if (!error && override_release(name->release, sizeof(name->release))) if (override_release(name->release, sizeof(name->release)))
error = -EFAULT; return -EFAULT;
if (!error && override_architecture(name)) if (override_architecture(name))
error = -EFAULT; return -EFAULT;
return error; return 0;
} }
SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name) SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
{ {
int error; struct oldold_utsname tmp = {};
if (!name) if (!name)
return -EFAULT; return -EFAULT;
if (!access_ok(VERIFY_WRITE, name, sizeof(struct oldold_utsname)))
return -EFAULT;
down_read(&uts_sem); down_read(&uts_sem);
error = __copy_to_user(&name->sysname, &utsname()->sysname, memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN);
__OLD_UTS_LEN); memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN);
error |= __put_user(0, name->sysname + __OLD_UTS_LEN); memcpy(&tmp.release, &utsname()->release, __OLD_UTS_LEN);
error |= __copy_to_user(&name->nodename, &utsname()->nodename, memcpy(&tmp.version, &utsname()->version, __OLD_UTS_LEN);
__OLD_UTS_LEN); memcpy(&tmp.machine, &utsname()->machine, __OLD_UTS_LEN);
error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
error |= __copy_to_user(&name->release, &utsname()->release,
__OLD_UTS_LEN);
error |= __put_user(0, name->release + __OLD_UTS_LEN);
error |= __copy_to_user(&name->version, &utsname()->version,
__OLD_UTS_LEN);
error |= __put_user(0, name->version + __OLD_UTS_LEN);
error |= __copy_to_user(&name->machine, &utsname()->machine,
__OLD_UTS_LEN);
error |= __put_user(0, name->machine + __OLD_UTS_LEN);
up_read(&uts_sem); up_read(&uts_sem);
if (copy_to_user(name, &tmp, sizeof(tmp)))
return -EFAULT;
if (!error && override_architecture(name)) if (override_architecture(name))
error = -EFAULT; return -EFAULT;
if (!error && override_release(name->release, sizeof(name->release))) if (override_release(name->release, sizeof(name->release)))
error = -EFAULT; return -EFAULT;
return error ? -EFAULT : 0; return 0;
} }
#endif #endif
@ -1319,17 +1311,18 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len)
if (len < 0 || len > __NEW_UTS_LEN) if (len < 0 || len > __NEW_UTS_LEN)
return -EINVAL; return -EINVAL;
down_write(&uts_sem);
errno = -EFAULT; errno = -EFAULT;
if (!copy_from_user(tmp, name, len)) { if (!copy_from_user(tmp, name, len)) {
struct new_utsname *u = utsname(); struct new_utsname *u;
down_write(&uts_sem);
u = utsname();
memcpy(u->nodename, tmp, len); memcpy(u->nodename, tmp, len);
memset(u->nodename + len, 0, sizeof(u->nodename) - len); memset(u->nodename + len, 0, sizeof(u->nodename) - len);
errno = 0; errno = 0;
uts_proc_notify(UTS_PROC_HOSTNAME); uts_proc_notify(UTS_PROC_HOSTNAME);
up_write(&uts_sem);
} }
up_write(&uts_sem);
return errno; return errno;
} }
@ -1337,8 +1330,9 @@ SYSCALL_DEFINE2(sethostname, char __user *, name, int, len)
SYSCALL_DEFINE2(gethostname, char __user *, name, int, len) SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)
{ {
int i, errno; int i;
struct new_utsname *u; struct new_utsname *u;
char tmp[__NEW_UTS_LEN + 1];
if (len < 0) if (len < 0)
return -EINVAL; return -EINVAL;
@ -1347,11 +1341,11 @@ SYSCALL_DEFINE2(gethostname, char __user *, name, int, len)
i = 1 + strlen(u->nodename); i = 1 + strlen(u->nodename);
if (i > len) if (i > len)
i = len; i = len;
errno = 0; memcpy(tmp, u->nodename, i);
if (copy_to_user(name, u->nodename, i))
errno = -EFAULT;
up_read(&uts_sem); up_read(&uts_sem);
return errno; if (copy_to_user(name, tmp, i))
return -EFAULT;
return 0;
} }
#endif #endif
@ -1370,17 +1364,18 @@ SYSCALL_DEFINE2(setdomainname, char __user *, name, int, len)
if (len < 0 || len > __NEW_UTS_LEN) if (len < 0 || len > __NEW_UTS_LEN)
return -EINVAL; return -EINVAL;
down_write(&uts_sem);
errno = -EFAULT; errno = -EFAULT;
if (!copy_from_user(tmp, name, len)) { if (!copy_from_user(tmp, name, len)) {
struct new_utsname *u = utsname(); struct new_utsname *u;
down_write(&uts_sem);
u = utsname();
memcpy(u->domainname, tmp, len); memcpy(u->domainname, tmp, len);
memset(u->domainname + len, 0, sizeof(u->domainname) - len); memset(u->domainname + len, 0, sizeof(u->domainname) - len);
errno = 0; errno = 0;
uts_proc_notify(UTS_PROC_DOMAINNAME); uts_proc_notify(UTS_PROC_DOMAINNAME);
up_write(&uts_sem);
} }
up_write(&uts_sem);
return errno; return errno;
} }

View file

@ -18,7 +18,7 @@
#ifdef CONFIG_PROC_SYSCTL #ifdef CONFIG_PROC_SYSCTL
static void *get_uts(struct ctl_table *table, int write) static void *get_uts(struct ctl_table *table)
{ {
char *which = table->data; char *which = table->data;
struct uts_namespace *uts_ns; struct uts_namespace *uts_ns;
@ -26,21 +26,9 @@ static void *get_uts(struct ctl_table *table, int write)
uts_ns = current->nsproxy->uts_ns; uts_ns = current->nsproxy->uts_ns;
which = (which - (char *)&init_uts_ns) + (char *)uts_ns; which = (which - (char *)&init_uts_ns) + (char *)uts_ns;
if (!write)
down_read(&uts_sem);
else
down_write(&uts_sem);
return which; return which;
} }
static void put_uts(struct ctl_table *table, int write, void *which)
{
if (!write)
up_read(&uts_sem);
else
up_write(&uts_sem);
}
/* /*
* Special case of dostring for the UTS structure. This has locks * Special case of dostring for the UTS structure. This has locks
* to observe. Should this be in kernel/sys.c ???? * to observe. Should this be in kernel/sys.c ????
@ -50,13 +38,34 @@ static int proc_do_uts_string(struct ctl_table *table, int write,
{ {
struct ctl_table uts_table; struct ctl_table uts_table;
int r; int r;
memcpy(&uts_table, table, sizeof(uts_table)); char tmp_data[__NEW_UTS_LEN + 1];
uts_table.data = get_uts(table, write);
r = proc_dostring(&uts_table, write, buffer, lenp, ppos);
put_uts(table, write, uts_table.data);
if (write) memcpy(&uts_table, table, sizeof(uts_table));
uts_table.data = tmp_data;
/*
* Buffer the value in tmp_data so that proc_dostring() can be called
* without holding any locks.
* We also need to read the original value in the write==1 case to
* support partial writes.
*/
down_read(&uts_sem);
memcpy(tmp_data, get_uts(table), sizeof(tmp_data));
up_read(&uts_sem);
r = proc_dostring(&uts_table, write, buffer, lenp, ppos);
if (write) {
/*
* Write back the new value.
* Note that, since we dropped uts_sem, the result can
* theoretically be incorrect if there are two parallel writes
* at non-zero offsets to the same sysctl.
*/
down_write(&uts_sem);
memcpy(get_uts(table), tmp_data, sizeof(tmp_data));
up_write(&uts_sem);
proc_sys_poll_notify(table->poll); proc_sys_poll_notify(table->poll);
}
return r; return r;
} }