All of
 help / color / mirror / Atom feed
From: Christian Brauner <>
	Christian Brauner <>
Subject: [PATCH v4 2/3] sysctl: handle overflow for file-max
Date: Sun, 10 Feb 2019 21:39:42 +0100	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

Currently, when writing

echo 18446744073709551616 > /proc/sys/fs/file-max

/proc/sys/fs/file-max will overflow and be set to 0. That quickly
crashes the system.
This commit sets the max and min value for file-max. The max value is set
to long int. Any higher value cannot currently be used as the percpu
counters are long ints and not unsigned integers.

Note that the file-max value is ultimately parsed via
__do_proc_doulongvec_minmax(). This function does not report error when min
or max are exceeded. Which means if a value largen that long int is written
userspace will not receive an error instead the old value will be kept.
There is an argument to be made that this should be changed and
__do_proc_doulongvec_minmax() should return an error when a dedicated min
or max value are exceeded. However this has the potential to break
userspace so let's defer this to an RFC patch.

Cc: Dominik Brodowski <>
Signed-off-by: Christian Brauner <>
Acked-by: Kees Cook <>
- unchanged
  The prior version of the patch contained a generic change affecting all
  callers of __do_proc_doulongvec_minmax(). This part was split out into a
  separate RFC patch as it nees a proper discussion and consideration
  whether this would break userspace.

- unchanged

- consistenly fail on overflow

- if max value is < than ULONG_MAX use max as upper bound
- (Dominik) remove double "the" from commit message
 kernel/sysctl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 70581ade3555..c4a44b7ccb8a 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -129,6 +129,7 @@ static int __maybe_unused one = 1;
 static int __maybe_unused two = 2;
 static int __maybe_unused four = 4;
 static unsigned long one_ul = 1;
+static unsigned long long_max = LONG_MAX;
 static int one_hundred = 100;
 static int one_thousand = 1000;
@@ -1724,6 +1725,8 @@ static struct ctl_table fs_table[] = {
 		.maxlen		= sizeof(files_stat.max_files),
 		.mode		= 0644,
 		.proc_handler	= proc_doulongvec_minmax,
+		.extra1		= &zero,
+		.extra2		= &long_max,
 		.procname	= "nr_open",

  parent reply	other threads:[~2019-02-10 20:40 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-10 20:39 [PATCH v4 0/3] sysctl: handle overflow for file-max Christian Brauner
2019-02-10 20:39 ` [PATCH v4 1/3] sysctl: handle overflow in proc_get_long Christian Brauner
2019-02-10 20:39 ` Christian Brauner [this message]
2019-02-10 20:39 ` [RFC PATCH v4 3/3] sysctl: return -EINVAL if val violates minmax Christian Brauner
2019-02-11 19:50   ` Luis Chamberlain

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.