* [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups
@ 2017-10-10 18:04 Joe Lawrence
2017-10-10 18:04 ` [PATCH v3 1/4] pipe: match pipe_max_size data type with procfs Joe Lawrence
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Joe Lawrence @ 2017-10-10 18:04 UTC (permalink / raw)
To: linux-kernel; +Cc: Mikulas Patocka, Michael Kerrisk, Randy Dunlap
While backporting Michael's "pipe: fix limit handling" patchset to a
distro-kernel, Mikulas noticed that current upstream pipe limit handling
contains a few problems:
1 - procfs signed wrap: echo'ing a large number into
/proc/sys/fs/pipe-max-size and then cat'ing it back out shows a
negative value.
2 - round_pipe_size() nr_pages overflow on 32bit: this would
subsequently try roundup_pow_of_two(0), which is undefined.
3 - visible non-rounded pipe-max-size value: there is no mutual
exclusion or protection between the time pipe_max_size is assigned
a raw value from proc_dointvec_minmax() and when it is rounded.
4 - unsigned long -> unsigned int conversion makes for potential odd
return errors from do_proc_douintvec_minmax_conv() and
do_proc_dopipe_max_size_conv().
This version underwent the same testing as v1:
https://marc.info/?l=linux-kernel&m=150643571406022&w=2
v1 (from rfc):
- Re-arrange patchset order, push smaller fixes to the front
- Add a check so that round_pipe_size(size < pipe_min_size) will round
up to round_pipe_size(pipe_min_size) as per man page [RD]
- Add new procfs proc_dopipe_max_size() and helpers to consolidate user
space read / type validation / rounding / assignment [MP]
v2:
- Fix !CONFIG_PROC_SYSCTL build case [buildbots]
v3:
- s/proc_dointvec_minmax/proc_dopipe_max_size/ in comment
preceding pipe_proc_fn()
- Added a fourth patch to address -ERANGE vs. -EINVAL inconsistencies in
do_proc_douintvec_minmax_conv() and do_proc_dopipe_max_size_conv().
Joe Lawrence (4):
pipe: match pipe_max_size data type with procfs
pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
pipe: add proc_dopipe_max_size() to safely assign pipe_max_size
sysctl: check for UINT_MAX before unsigned int min/max
fs/pipe.c | 23 ++++++++++---------
include/linux/pipe_fs_i.h | 1 +
include/linux/sysctl.h | 3 +++
kernel/sysctl.c | 57 ++++++++++++++++++++++++++++++++++++++++++++---
4 files changed, 70 insertions(+), 14 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v3 1/4] pipe: match pipe_max_size data type with procfs
2017-10-10 18:04 [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups Joe Lawrence
@ 2017-10-10 18:04 ` Joe Lawrence
2017-10-10 18:04 ` [PATCH v3 2/4] pipe: avoid round_pipe_size() nr_pages overflow on 32-bit Joe Lawrence
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Joe Lawrence @ 2017-10-10 18:04 UTC (permalink / raw)
To: linux-kernel; +Cc: Mikulas Patocka, Michael Kerrisk, Randy Dunlap
pipe_max_size is defined as an unsigned int:
unsigned int pipe_max_size = 1048576;
but its procfs/sysctl representation is an integer:
static struct ctl_table fs_table[] = {
...
{
.procname = "pipe-max-size",
.data = &pipe_max_size,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = &pipe_proc_fn,
.extra1 = &pipe_min_size,
},
...
that is signed:
int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
size_t *lenp, loff_t *ppos)
{
...
ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)
This leads to signed results via procfs for large values of
pipe_max_size:
% echo 2147483647 >/proc/sys/fs/pipe-max-size
% cat /proc/sys/fs/pipe-max-size
-2147483648
Use unsigned operations on this variable to avoid such negative values.
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
fs/pipe.c | 2 +-
kernel/sysctl.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/pipe.c b/fs/pipe.c
index 97e5be897753..a21ad26de557 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1124,7 +1124,7 @@ int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
{
int ret;
- ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
+ ret = proc_douintvec_minmax(table, write, buf, lenp, ppos);
if (ret < 0 || !write)
return ret;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 6648fbbb8157..c976719bf37a 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1825,7 +1825,7 @@ static int sysrq_sysctl_handler(struct ctl_table *table, int write,
{
.procname = "pipe-max-size",
.data = &pipe_max_size,
- .maxlen = sizeof(int),
+ .maxlen = sizeof(pipe_max_size),
.mode = 0644,
.proc_handler = &pipe_proc_fn,
.extra1 = &pipe_min_size,
--
1.8.3.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v3 2/4] pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
2017-10-10 18:04 [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups Joe Lawrence
2017-10-10 18:04 ` [PATCH v3 1/4] pipe: match pipe_max_size data type with procfs Joe Lawrence
@ 2017-10-10 18:04 ` Joe Lawrence
2017-10-10 18:04 ` [PATCH v3 3/4] pipe: add proc_dopipe_max_size() to safely assign pipe_max_size Joe Lawrence
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Joe Lawrence @ 2017-10-10 18:04 UTC (permalink / raw)
To: linux-kernel; +Cc: Mikulas Patocka, Michael Kerrisk, Randy Dunlap
The round_pipe_size() function contains a right-bit-shift expression
which may overflow, which would cause undefined results in a subsequent
roundup_pow_of_two() call.
static inline unsigned int round_pipe_size(unsigned int size)
{
unsigned long nr_pages;
nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
}
PAGE_SIZE is defined as (1UL << PAGE_SHIFT), so:
- 4 bytes wide on 32-bit (0 to 0xffffffff)
- 8 bytes wide on 64-bit (0 to 0xffffffffffffffff)
That means that 32-bit round_pipe_size(), nr_pages may overflow to 0:
size=0x00000000 nr_pages=0x0
size=0x00000001 nr_pages=0x1
size=0xfffff000 nr_pages=0xfffff
size=0xfffff001 nr_pages=0x0 << !
size=0xffffffff nr_pages=0x0 << !
This is bad because roundup_pow_of_two(n) is undefined when n == 0!
64-bit is not a problem as the unsigned int size is 4 bytes wide
(similar to 32-bit) and the larger, 8 byte wide unsigned long, is
sufficient to handle the largest value of the bit shift expression:
size=0xffffffff nr_pages=100000
Modify round_pipe_size() to return 0 if n == 0 and updates its callers
to handle accordingly.
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
fs/pipe.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/fs/pipe.c b/fs/pipe.c
index a21ad26de557..8cbc97d97753 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1017,13 +1017,19 @@ static int fifo_open(struct inode *inode, struct file *filp)
/*
* Currently we rely on the pipe array holding a power-of-2 number
- * of pages.
+ * of pages. Returns 0 on error.
*/
static inline unsigned int round_pipe_size(unsigned int size)
{
unsigned long nr_pages;
+ if (size < pipe_min_size)
+ size = pipe_min_size;
+
nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ if (nr_pages == 0)
+ return 0;
+
return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
}
@@ -1039,6 +1045,8 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
long ret = 0;
size = round_pipe_size(arg);
+ if (size == 0)
+ return -EINVAL;
nr_pages = size >> PAGE_SHIFT;
if (!nr_pages)
@@ -1122,13 +1130,18 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
size_t *lenp, loff_t *ppos)
{
+ unsigned int rounded_pipe_max_size;
int ret;
ret = proc_douintvec_minmax(table, write, buf, lenp, ppos);
if (ret < 0 || !write)
return ret;
- pipe_max_size = round_pipe_size(pipe_max_size);
+ rounded_pipe_max_size = round_pipe_size(pipe_max_size);
+ if (rounded_pipe_max_size == 0)
+ return -EINVAL;
+
+ pipe_max_size = rounded_pipe_max_size;
return ret;
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v3 3/4] pipe: add proc_dopipe_max_size() to safely assign pipe_max_size
2017-10-10 18:04 [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups Joe Lawrence
2017-10-10 18:04 ` [PATCH v3 1/4] pipe: match pipe_max_size data type with procfs Joe Lawrence
2017-10-10 18:04 ` [PATCH v3 2/4] pipe: avoid round_pipe_size() nr_pages overflow on 32-bit Joe Lawrence
@ 2017-10-10 18:04 ` Joe Lawrence
2017-10-10 18:04 ` [PATCH v3 4/4] sysctl: check for UINT_MAX before unsigned int min/max Joe Lawrence
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Joe Lawrence @ 2017-10-10 18:04 UTC (permalink / raw)
To: linux-kernel; +Cc: Mikulas Patocka, Michael Kerrisk, Randy Dunlap
pipe_max_size is assigned directly via procfs sysctl:
static struct ctl_table fs_table[] = {
...
{
.procname = "pipe-max-size",
.data = &pipe_max_size,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = &pipe_proc_fn,
.extra1 = &pipe_min_size,
},
...
int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
size_t *lenp, loff_t *ppos)
{
...
ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)
...
and then later rounded in-place a few statements later:
...
pipe_max_size = round_pipe_size(pipe_max_size);
...
This leaves a window of time between initial assignment and rounding
that may be visible to other threads. (For example, one thread sets a
non-rounded value to pipe_max_size while another reads its value.)
Similar reads of pipe_max_size are potentially racey:
pipe.c :: alloc_pipe_info()
pipe.c :: pipe_set_size()
Add a new proc_dopipe_max_size() function that consolidates reading the
new value from the user buffer, verifying bounds, and calling
round_pipe_size() with a single assignment to pipe_max_size.
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
fs/pipe.c | 18 +++--------------
include/linux/pipe_fs_i.h | 1 +
include/linux/sysctl.h | 3 +++
kernel/sysctl.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 56 insertions(+), 15 deletions(-)
diff --git a/fs/pipe.c b/fs/pipe.c
index 8cbc97d97753..e4eea5a51916 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1019,7 +1019,7 @@ static int fifo_open(struct inode *inode, struct file *filp)
* Currently we rely on the pipe array holding a power-of-2 number
* of pages. Returns 0 on error.
*/
-static inline unsigned int round_pipe_size(unsigned int size)
+unsigned int round_pipe_size(unsigned int size)
{
unsigned long nr_pages;
@@ -1124,25 +1124,13 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
}
/*
- * This should work even if CONFIG_PROC_FS isn't set, as proc_dointvec_minmax
+ * This should work even if CONFIG_PROC_FS isn't set, as proc_dopipe_max_size
* will return an error.
*/
int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
size_t *lenp, loff_t *ppos)
{
- unsigned int rounded_pipe_max_size;
- int ret;
-
- ret = proc_douintvec_minmax(table, write, buf, lenp, ppos);
- if (ret < 0 || !write)
- return ret;
-
- rounded_pipe_max_size = round_pipe_size(pipe_max_size);
- if (rounded_pipe_max_size == 0)
- return -EINVAL;
-
- pipe_max_size = rounded_pipe_max_size;
- return ret;
+ return proc_dopipe_max_size(table, write, buf, lenp, ppos);
}
/*
diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
index e7497c9dde7f..485cf7a7aa8f 100644
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -190,5 +190,6 @@ static inline int pipe_buf_steal(struct pipe_inode_info *pipe,
struct pipe_inode_info *get_pipe_info(struct file *file);
int create_pipe_files(struct file **, int);
+unsigned int round_pipe_size(unsigned int size);
#endif
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 1d4dba490fb6..ba24ca72800c 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -50,6 +50,9 @@ extern int proc_dointvec_minmax(struct ctl_table *, int,
extern int proc_douintvec_minmax(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp,
loff_t *ppos);
+extern int proc_dopipe_max_size(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp,
+ loff_t *ppos);
extern int proc_dointvec_jiffies(struct ctl_table *, int,
void __user *, size_t *, loff_t *);
extern int proc_dointvec_userhz_jiffies(struct ctl_table *, int,
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index c976719bf37a..30b01b22014d 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -67,6 +67,7 @@
#include <linux/kexec.h>
#include <linux/bpf.h>
#include <linux/mount.h>
+#include <linux/pipe_fs_i.h>
#include <linux/uaccess.h>
#include <asm/processor.h>
@@ -2631,6 +2632,47 @@ int proc_douintvec_minmax(struct ctl_table *table, int write,
do_proc_douintvec_minmax_conv, ¶m);
}
+struct do_proc_dopipe_max_size_conv_param {
+ unsigned int *min;
+};
+
+static int do_proc_dopipe_max_size_conv(unsigned long *lvalp,
+ unsigned int *valp,
+ int write, void *data)
+{
+ struct do_proc_dopipe_max_size_conv_param *param = data;
+
+ if (write) {
+ unsigned int val = round_pipe_size(*lvalp);
+
+ if (val == 0)
+ return -EINVAL;
+
+ if (param->min && *param->min > val)
+ return -ERANGE;
+
+ if (*lvalp > UINT_MAX)
+ return -EINVAL;
+
+ *valp = val;
+ } else {
+ unsigned int val = *valp;
+ *lvalp = (unsigned long) val;
+ }
+
+ return 0;
+}
+
+int proc_dopipe_max_size(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+ struct do_proc_dopipe_max_size_conv_param param = {
+ .min = (unsigned int *) table->extra1,
+ };
+ return do_proc_douintvec(table, write, buffer, lenp, ppos,
+ do_proc_dopipe_max_size_conv, ¶m);
+}
+
static void validate_coredump_safety(void)
{
#ifdef CONFIG_COREDUMP
@@ -3136,6 +3178,12 @@ int proc_douintvec_minmax(struct ctl_table *table, int write,
return -ENOSYS;
}
+int proc_dopipe_max_size(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+ return -ENOSYS;
+}
+
int proc_dointvec_jiffies(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -3179,6 +3227,7 @@ int proc_doulongvec_ms_jiffies_minmax(struct ctl_table *table, int write,
EXPORT_SYMBOL(proc_dointvec_jiffies);
EXPORT_SYMBOL(proc_dointvec_minmax);
EXPORT_SYMBOL_GPL(proc_douintvec_minmax);
+EXPORT_SYMBOL_GPL(proc_dopipe_max_size);
EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
EXPORT_SYMBOL(proc_dostring);
--
1.8.3.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v3 4/4] sysctl: check for UINT_MAX before unsigned int min/max
2017-10-10 18:04 [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups Joe Lawrence
` (2 preceding siblings ...)
2017-10-10 18:04 ` [PATCH v3 3/4] pipe: add proc_dopipe_max_size() to safely assign pipe_max_size Joe Lawrence
@ 2017-10-10 18:04 ` Joe Lawrence
2017-10-12 14:05 ` [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups Mikulas Patocka
2017-10-16 13:24 ` Joe Lawrence
5 siblings, 0 replies; 7+ messages in thread
From: Joe Lawrence @ 2017-10-10 18:04 UTC (permalink / raw)
To: linux-kernel; +Cc: Mikulas Patocka, Michael Kerrisk, Randy Dunlap
Mikulas noticed in the existing do_proc_douintvec_minmax_conv() and
do_proc_dopipe_max_size_conv() introduced in this patchset, that they
inconsistently handle overflow and min/max range inputs:
For example:
0 ... param->min - 1 ---> ERANGE
param->min ... param->max ---> the value is accepted
param->max + 1 ... 0x100000000L + param->min - 1 ---> ERANGE
0x100000000L + param->min ... 0x100000000L + param->max ---> EINVAL
0x100000000L + param->max + 1, 0x200000000L + param->min - 1 ---> ERANGE
0x200000000L + param->min ... 0x200000000L + param->max ---> EINVAL
0x200000000L + param->max + 1, 0x300000000L + param->min - 1 ---> ERANGE
In do_proc_do*() routines which store values into unsigned int variables
(4 bytes wide for 64-bit builds), first validate that the input unsigned
long value (8 bytes wide for 64-bit builds) will fit inside the smaller
unsigned int variable. Then check that the unsigned int value falls
inside the specified parameter min, max range. Otherwise the unsigned
long -> unsigned int conversion drops leading bits from the input value,
leading to the inconsistent pattern Mikulas documented above.
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
kernel/sysctl.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 30b01b22014d..a04907158c90 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2587,12 +2587,13 @@ static int do_proc_douintvec_minmax_conv(unsigned long *lvalp,
if (write) {
unsigned int val = *lvalp;
+ if (*lvalp > UINT_MAX)
+ return -EINVAL;
+
if ((param->min && *param->min > val) ||
(param->max && *param->max < val))
return -ERANGE;
- if (*lvalp > UINT_MAX)
- return -EINVAL;
*valp = val;
} else {
unsigned int val = *valp;
@@ -2643,17 +2644,18 @@ static int do_proc_dopipe_max_size_conv(unsigned long *lvalp,
struct do_proc_dopipe_max_size_conv_param *param = data;
if (write) {
- unsigned int val = round_pipe_size(*lvalp);
+ unsigned int val;
+ if (*lvalp > UINT_MAX)
+ return -EINVAL;
+
+ val = round_pipe_size(*lvalp);
if (val == 0)
return -EINVAL;
if (param->min && *param->min > val)
return -ERANGE;
- if (*lvalp > UINT_MAX)
- return -EINVAL;
-
*valp = val;
} else {
unsigned int val = *valp;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups
2017-10-10 18:04 [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups Joe Lawrence
` (3 preceding siblings ...)
2017-10-10 18:04 ` [PATCH v3 4/4] sysctl: check for UINT_MAX before unsigned int min/max Joe Lawrence
@ 2017-10-12 14:05 ` Mikulas Patocka
2017-10-16 13:24 ` Joe Lawrence
5 siblings, 0 replies; 7+ messages in thread
From: Mikulas Patocka @ 2017-10-12 14:05 UTC (permalink / raw)
To: Joe Lawrence; +Cc: linux-kernel, Michael Kerrisk, Randy Dunlap
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
On Tue, 10 Oct 2017, Joe Lawrence wrote:
> While backporting Michael's "pipe: fix limit handling" patchset to a
> distro-kernel, Mikulas noticed that current upstream pipe limit handling
> contains a few problems:
>
> 1 - procfs signed wrap: echo'ing a large number into
> /proc/sys/fs/pipe-max-size and then cat'ing it back out shows a
> negative value.
>
> 2 - round_pipe_size() nr_pages overflow on 32bit: this would
> subsequently try roundup_pow_of_two(0), which is undefined.
>
> 3 - visible non-rounded pipe-max-size value: there is no mutual
> exclusion or protection between the time pipe_max_size is assigned
> a raw value from proc_dointvec_minmax() and when it is rounded.
>
> 4 - unsigned long -> unsigned int conversion makes for potential odd
> return errors from do_proc_douintvec_minmax_conv() and
> do_proc_dopipe_max_size_conv().
>
> This version underwent the same testing as v1:
> https://marc.info/?l=linux-kernel&m=150643571406022&w=2
>
> v1 (from rfc):
>
> - Re-arrange patchset order, push smaller fixes to the front
> - Add a check so that round_pipe_size(size < pipe_min_size) will round
> up to round_pipe_size(pipe_min_size) as per man page [RD]
> - Add new procfs proc_dopipe_max_size() and helpers to consolidate user
> space read / type validation / rounding / assignment [MP]
>
> v2:
> - Fix !CONFIG_PROC_SYSCTL build case [buildbots]
>
> v3:
> - s/proc_dointvec_minmax/proc_dopipe_max_size/ in comment
> preceding pipe_proc_fn()
> - Added a fourth patch to address -ERANGE vs. -EINVAL inconsistencies in
> do_proc_douintvec_minmax_conv() and do_proc_dopipe_max_size_conv().
>
> Joe Lawrence (4):
> pipe: match pipe_max_size data type with procfs
> pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
> pipe: add proc_dopipe_max_size() to safely assign pipe_max_size
> sysctl: check for UINT_MAX before unsigned int min/max
>
> fs/pipe.c | 23 ++++++++++---------
> include/linux/pipe_fs_i.h | 1 +
> include/linux/sysctl.h | 3 +++
> kernel/sysctl.c | 57 ++++++++++++++++++++++++++++++++++++++++++++---
> 4 files changed, 70 insertions(+), 14 deletions(-)
>
> --
> 1.8.3.1
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups
2017-10-10 18:04 [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups Joe Lawrence
` (4 preceding siblings ...)
2017-10-12 14:05 ` [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups Mikulas Patocka
@ 2017-10-16 13:24 ` Joe Lawrence
5 siblings, 0 replies; 7+ messages in thread
From: Joe Lawrence @ 2017-10-16 13:24 UTC (permalink / raw)
To: linux-kernel
Cc: Mikulas Patocka, Michael Kerrisk, Randy Dunlap, Alexander Viro,
Andrew Morton
On 10/10/2017 02:04 PM, Joe Lawrence wrote:
> While backporting Michael's "pipe: fix limit handling" patchset to a
> distro-kernel, Mikulas noticed that current upstream pipe limit handling
> contains a few problems:
>
> 1 - procfs signed wrap: echo'ing a large number into
> /proc/sys/fs/pipe-max-size and then cat'ing it back out shows a
> negative value.
>
> 2 - round_pipe_size() nr_pages overflow on 32bit: this would
> subsequently try roundup_pow_of_two(0), which is undefined.
>
> 3 - visible non-rounded pipe-max-size value: there is no mutual
> exclusion or protection between the time pipe_max_size is assigned
> a raw value from proc_dointvec_minmax() and when it is rounded.
>
> 4 - unsigned long -> unsigned int conversion makes for potential odd
> return errors from do_proc_douintvec_minmax_conv() and
> do_proc_dopipe_max_size_conv().
>
> This version underwent the same testing as v1:
> https://marc.info/?l=linux-kernel&m=150643571406022&w=2
>
> v1 (from rfc):
>
> - Re-arrange patchset order, push smaller fixes to the front
> - Add a check so that round_pipe_size(size < pipe_min_size) will round
> up to round_pipe_size(pipe_min_size) as per man page [RD]
> - Add new procfs proc_dopipe_max_size() and helpers to consolidate user
> space read / type validation / rounding / assignment [MP]
>
> v2:
> - Fix !CONFIG_PROC_SYSCTL build case [buildbots]
>
> v3:
> - s/proc_dointvec_minmax/proc_dopipe_max_size/ in comment
> preceding pipe_proc_fn()
> - Added a fourth patch to address -ERANGE vs. -EINVAL inconsistencies in
> do_proc_douintvec_minmax_conv() and do_proc_dopipe_max_size_conv().
>
> Joe Lawrence (4):
> pipe: match pipe_max_size data type with procfs
> pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
> pipe: add proc_dopipe_max_size() to safely assign pipe_max_size
> sysctl: check for UINT_MAX before unsigned int min/max
>
> fs/pipe.c | 23 ++++++++++---------
> include/linux/pipe_fs_i.h | 1 +
> include/linux/sysctl.h | 3 +++
> kernel/sysctl.c | 57 ++++++++++++++++++++++++++++++++++++++++++++---
> 4 files changed, 70 insertions(+), 14 deletions(-)
>
Thanks for the reviews, now who do I need to bug to get this merged into
a tree? :)
v1:
Reviewed-by: Michael Kerrisk <mtk.manpages@gmail.com>
"Looks good" from Randy Dunlap <rdunlap@infradead.org>
v3:
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
-- Joe
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-10-16 13:24 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-10 18:04 [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups Joe Lawrence
2017-10-10 18:04 ` [PATCH v3 1/4] pipe: match pipe_max_size data type with procfs Joe Lawrence
2017-10-10 18:04 ` [PATCH v3 2/4] pipe: avoid round_pipe_size() nr_pages overflow on 32-bit Joe Lawrence
2017-10-10 18:04 ` [PATCH v3 3/4] pipe: add proc_dopipe_max_size() to safely assign pipe_max_size Joe Lawrence
2017-10-10 18:04 ` [PATCH v3 4/4] sysctl: check for UINT_MAX before unsigned int min/max Joe Lawrence
2017-10-12 14:05 ` [PATCH v3 0/4] A few round_pipe_size() and pipe-max-size fixups Mikulas Patocka
2017-10-16 13:24 ` Joe Lawrence
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.