ucounts: Fix rlimit max values check

The semantics of the rlimit max values differs from ucounts itself. When
creating a new userns, we store the current rlimit of the process in
ucount_max. Thus, the value of the limit in the parent userns is saved
in the created one.

The problem is that now we are taking the maximum value for counter from
the same userns. So for init_user_ns it will always be RLIM_INFINITY.

To fix the problem we need to check the counter value with the max value
stored in userns.

Reproducer:

su - test -c "ulimit -u 3; sleep 5 & sleep 6 & unshare -U --map-root-user sh -c 'sleep 7 & sleep 8 & date; wait'"

Before:

[1] 175
[2] 176
Fri Nov 26 13:48:20 UTC 2021
[1]-  Done                    sleep 5
[2]+  Done                    sleep 6

After:

[1] 167
[2] 168
sh: fork: retry: Resource temporarily unavailable
sh: fork: retry: Resource temporarily unavailable
sh: fork: retry: Resource temporarily unavailable
sh: fork: retry: Resource temporarily unavailable
sh: fork: retry: Resource temporarily unavailable
sh: fork: retry: Resource temporarily unavailable
sh: fork: retry: Resource temporarily unavailable
sh: fork: Interrupted system call
[1]-  Done                    sleep 5
[2]+  Done                    sleep 6

Fixes: c54b245d01 ("Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace")
Reported-by: Gleb Fotengauer-Malinovskiy <glebfm@altlinux.org>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Alexey Gladkov <legion@kernel.org>
Link: https://lkml.kernel.org/r/024ec805f6e16896f0b23e094773790d171d2c1c.1638218242.git.legion@kernel.org
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
Alexey Gladkov 2021-11-29 21:37:25 +01:00 committed by Eric W. Biederman
parent 1360572566
commit 59ec71575a
1 changed files with 9 additions and 6 deletions

View File

@ -264,15 +264,16 @@ void dec_ucount(struct ucounts *ucounts, enum ucount_type type)
long inc_rlimit_ucounts(struct ucounts *ucounts, enum ucount_type type, long v) long inc_rlimit_ucounts(struct ucounts *ucounts, enum ucount_type type, long v)
{ {
struct ucounts *iter; struct ucounts *iter;
long max = LONG_MAX;
long ret = 0; long ret = 0;
for (iter = ucounts; iter; iter = iter->ns->ucounts) { for (iter = ucounts; iter; iter = iter->ns->ucounts) {
long max = READ_ONCE(iter->ns->ucount_max[type]);
long new = atomic_long_add_return(v, &iter->ucount[type]); long new = atomic_long_add_return(v, &iter->ucount[type]);
if (new < 0 || new > max) if (new < 0 || new > max)
ret = LONG_MAX; ret = LONG_MAX;
else if (iter == ucounts) else if (iter == ucounts)
ret = new; ret = new;
max = READ_ONCE(iter->ns->ucount_max[type]);
} }
return ret; return ret;
} }
@ -312,15 +313,16 @@ long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum ucount_type type)
{ {
/* Caller must hold a reference to ucounts */ /* Caller must hold a reference to ucounts */
struct ucounts *iter; struct ucounts *iter;
long max = LONG_MAX;
long dec, ret = 0; long dec, ret = 0;
for (iter = ucounts; iter; iter = iter->ns->ucounts) { for (iter = ucounts; iter; iter = iter->ns->ucounts) {
long max = READ_ONCE(iter->ns->ucount_max[type]);
long new = atomic_long_add_return(1, &iter->ucount[type]); long new = atomic_long_add_return(1, &iter->ucount[type]);
if (new < 0 || new > max) if (new < 0 || new > max)
goto unwind; goto unwind;
if (iter == ucounts) if (iter == ucounts)
ret = new; ret = new;
max = READ_ONCE(iter->ns->ucount_max[type]);
/* /*
* Grab an extra ucount reference for the caller when * Grab an extra ucount reference for the caller when
* the rlimit count was previously 0. * the rlimit count was previously 0.
@ -339,15 +341,16 @@ unwind:
return 0; return 0;
} }
bool is_ucounts_overlimit(struct ucounts *ucounts, enum ucount_type type, unsigned long max) bool is_ucounts_overlimit(struct ucounts *ucounts, enum ucount_type type, unsigned long rlimit)
{ {
struct ucounts *iter; struct ucounts *iter;
if (get_ucounts_value(ucounts, type) > max) long max = rlimit;
return true; if (rlimit > LONG_MAX)
max = LONG_MAX;
for (iter = ucounts; iter; iter = iter->ns->ucounts) { for (iter = ucounts; iter; iter = iter->ns->ucounts) {
max = READ_ONCE(iter->ns->ucount_max[type]);
if (get_ucounts_value(iter, type) > max) if (get_ucounts_value(iter, type) > max)
return true; return true;
max = READ_ONCE(iter->ns->ucount_max[type]);
} }
return false; return false;
} }