From 3bf90da39cf14660a11e3980451c757398bcf84e Mon Sep 17 00:00:00 2001 From: Ryan Sullivan Date: Wed, 15 Mar 2023 10:24:04 -0400 Subject: [KPATCH CVE-2023-0386] kpatch fixes for CVE-2023-0386 Kernels: 5.14.0-162.6.1.el9_1 5.14.0-162.12.1.el9_1 5.14.0-162.18.1.el9_1 Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/26 Approved-by: Joe Lawrence (@joe.lawrence) Approved-by: Yannick Cote (@ycote1) Changes since last build: arches: x86_64 ppc64le copy_up.o: changed function: ovl_copy_up_one --------------------------- Modifications: none commit 977edea04b2c1dd1dc51ae7a1dbf5b484c048045 Author: Miklos Szeredi Date: Tue Jan 24 16:41:18 2023 +0100 ovl: fail on invalid uid/gid mapping at copy up Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2165344 CVE: CVE-2023-0386 If st_uid/st_gid doesn't have a mapping in the mounter's user_ns, then copy-up should fail, just like it would fail if the mounter task was doing the copy using "cp -a". There's a corner case where the "cp -a" would succeed but copy up fail: if there's a mapping of the invalid uid/gid (65534 by default) in the user namespace. This is because stat(2) will return this value if the mapping doesn't exist in the current user_ns and "cp -a" will in turn be able to create a file with this uid/gid. This behavior would be inconsistent with POSIX ACL's, which return -1 for invalid uid/gid which result in a failed copy. For consistency and simplicity fail the copy of the st_uid/st_gid are invalid. Fixes: 459c7c565ac3 ("ovl: unprivieged mounts") Cc: # v5.11 Signed-off-by: Miklos Szeredi Reviewed-by: Christian Brauner Reviewed-by: Seth Forshee (cherry picked from commit 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3) Signed-off-by: Miklos Szeredi Signed-off-by: Ryan Sullivan --- fs/overlayfs/copy_up.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index 2846b943e80c..95b2173ab9bc 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -886,6 +886,10 @@ static int ovl_copy_up_one(struct dentry *parent, struct dentry *dentry, if (err) return err; + if (!kuid_has_mapping(current_user_ns(), ctx.stat.uid) || + !kgid_has_mapping(current_user_ns(), ctx.stat.gid)) + return -EOVERFLOW; + ctx.metacopy = ovl_need_meta_copy_up(dentry, ctx.stat.mode, flags); if (parent) { -- 2.39.2