From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 11 Nov 2024 19:28:52 +0000 (+0100)
Subject: lib/idmapping.c: Fix get_map_ranges range check
X-Git-Tag: 4.17.0-rc1~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=929e61d604c4377be15bc27b88d82666e667720c;p=thirdparty%2Fshadow.git

lib/idmapping.c: Fix get_map_ranges range check

The get_map_ranges function shall support the whole accepted range
as specified in user_namespaces(7), i.e. upper and lower from 0 to
UINT_MAX - 1 as well as range from 1 to UINT_MAX. The actual limit of
range depends on values of upper and lower and adding the range
to either upper or lower shall never overflow UINT_MAX.

Fixes: 7c43eb2c4ea6 (2024-07-11, "lib/idmapping.c: get_map_ranges(): Move range check to a2ul() call")
Fixes: ff2baed5dbf8 (2016-08-14, "idmapping: add more checks for overflow")
Fixes: 94da3dc5c853 (2016-08-14, "also check upper for wrap")
Fixes: 7f5a14817d30 (2016-07-31, "get_map_ranges: check for overflow")
Co-authored-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
---

diff --git a/lib/idmapping.c b/lib/idmapping.c
index 248269c84..a46c8c248 100644
--- a/lib/idmapping.c
+++ b/lib/idmapping.c
@@ -52,23 +52,19 @@ get_map_ranges(int ranges, int argc, char **argv)
 	/* Gather up the ranges from the command line */
 	m = mappings;
 	for (int i = 0; i < ranges * 3; i+=3, m++) {
-		if (a2ul(&m->upper, argv[i + 0], NULL, 0, 0, UINT_MAX) == -1) {
+		if (a2ul(&m->upper, argv[i + 0], NULL, 0, 0, UINT_MAX - 1) == -1) {
 			if (errno == ERANGE)
 				fprintf(log_get_logfd(), _( "%s: subuid overflow detected.\n"), log_get_progname());
 			free(mappings);
 			return NULL;
 		}
-		if (a2ul(&m->lower, argv[i + 1], NULL, 0, 0, UINT_MAX) == -1) {
+		if (a2ul(&m->lower, argv[i + 1], NULL, 0, 0, UINT_MAX - 1) == -1) {
 			if (errno == ERANGE)
 				fprintf(log_get_logfd(), _( "%s: subuid overflow detected.\n"), log_get_progname());
 			free(mappings);
 			return NULL;
 		}
-		if (a2ul(&m->count, argv[i + 2], NULL, 0, 0,
-		         MIN(MIN(UINT_MAX, ULONG_MAX - 1) - m->lower,
-		             MIN(UINT_MAX, ULONG_MAX - 1) - m->upper))
-		    == -1)
-		{
+		if (a2ul(&m->count, argv[i + 2], NULL, 0, 1, UINT_MAX - MAX(m->lower, m->upper)) == -1) {
 			if (errno == ERANGE)
 				fprintf(log_get_logfd(), _( "%s: subuid overflow detected.\n"), log_get_progname());
 			free(mappings);