linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Christian Brauner <christian@brauner.io>
To: keescook@chromium.org, linux-kernel@vger.kernel.org
Cc: ebiederm@xmission.com, mcgrof@kernel.org,
	akpm@linux-foundation.org, joe.lawrence@redhat.com,
	longman@redhat.com, Christian Brauner <christian@brauner.io>
Subject: [PATCH 1/2] sysctl: add overflow detection to proc_get_long()
Date: Sun, 14 Oct 2018 15:25:09 +0200	[thread overview]
Message-ID: <20181014132510.25943-2-christian@brauner.io> (raw)
In-Reply-To: <20181014132510.25943-1-christian@brauner.io>

proc_get_long() is a funny function. It uses simple_strtoul() and for a
good reason. proc_get_long() wants to always succeed the parse and
return the maybe incorrect value and the trailing characters to check
against a pre-defined list of acceptable trailing values.
However, simple_strtoul() doesn not surface overflows when it detects
them which is problematic since it can cause funny things like:

echo 18446744073709551616 > /proc/sys/fs/file-max
cat /proc/sys/fs/file-max
0

(which will cause your system to silently die behind your back.)

On the other hand kstrtoul() does do overflow detection but fails the
parse in this case, does not return the trailing characters, and also
fails the parse when anything other than '\n' is a trailing character
whereas proc_get_long() wants to be more lenient in this case.

Now, before adding another kstrtoul() function let's simply add
a static parse sysctl_strtoul_lenient() which does:
- always return a value even if incorrect
- reports overflow to the caller
- returns the trailing characters to the caller
This guarantees that we don't regress userspace in any way but also
allows us to adapt callers of proc_get_long() to make decisions what is
supposed to happen when overflow was detected.

Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Christian Brauner <christian@brauner.io>
---
 kernel/sysctl.c | 45 +++++++++++++++++++++++++++++++++++----------
 1 file changed, 35 insertions(+), 10 deletions(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index cc02050fd0c4..a9409375380c 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -67,6 +67,7 @@
 #include <linux/bpf.h>
 #include <linux/mount.h>
 #include <linux/pipe_fs_i.h>
+#include <../lib/kstrtox.h>
 
 #include <linux/uaccess.h>
 #include <asm/processor.h>
@@ -2065,6 +2066,28 @@ static void proc_skip_char(char **buf, size_t *size, const char v)
 	}
 }
 
+static unsigned long sysctl_strtoul_lenient(const char *cp, char **endp,
+					    unsigned int base, bool *overflow)
+{
+	unsigned long long result;
+	unsigned int rv;
+
+	cp = _parse_integer_fixup_radix(cp, &base);
+	rv = _parse_integer(cp, base, &result);
+	if ((rv & KSTRTOX_OVERFLOW) ||
+	    (result != (unsigned long long)(unsigned long)result))
+		*overflow = true;
+	else
+		*overflow = false;
+
+	cp += (rv & ~KSTRTOX_OVERFLOW);
+
+	if (endp)
+		*endp = (char *)cp;
+
+	return result;
+}
+
 #define TMPBUFLEN 22
 /**
  * proc_get_long - reads an ASCII formatted integer from a user buffer
@@ -2084,7 +2107,8 @@ static void proc_skip_char(char **buf, size_t *size, const char v)
  */
 static int proc_get_long(char **buf, size_t *size,
 			  unsigned long *val, bool *neg,
-			  const char *perm_tr, unsigned perm_tr_len, char *tr)
+			  const char *perm_tr, unsigned perm_tr_len, char *tr,
+			  bool *overflow)
 {
 	int len;
 	char *p, tmp[TMPBUFLEN];
@@ -2108,7 +2132,7 @@ static int proc_get_long(char **buf, size_t *size,
 	if (!isdigit(*p))
 		return -EINVAL;
 
-	*val = simple_strtoul(p, &p, 0);
+	*val = sysctl_strtoul_lenient(p, &p, 0, overflow);
 
 	len = p - tmp;
 
@@ -2251,7 +2275,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
 
 	for (; left && vleft--; i++, first=0) {
 		unsigned long lval;
-		bool neg;
+		bool neg, overflow;
 
 		if (write) {
 			left -= proc_skip_spaces(&p);
@@ -2259,8 +2283,9 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
 			if (!left)
 				break;
 			err = proc_get_long(&p, &left, &lval, &neg,
-					     proc_wspace_sep,
-					     sizeof(proc_wspace_sep), NULL);
+					    proc_wspace_sep,
+					    sizeof(proc_wspace_sep), NULL,
+					    &overflow);
 			if (err)
 				break;
 			if (conv(&neg, &lval, i, 1, data)) {
@@ -2319,7 +2344,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data,
 	unsigned long lval;
 	int err = 0;
 	size_t left;
-	bool neg;
+	bool neg, overflow;
 	char *kbuf = NULL, *p;
 
 	left = *lenp;
@@ -2342,7 +2367,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data,
 
 	err = proc_get_long(&p, &left, &lval, &neg,
 			     proc_wspace_sep,
-			     sizeof(proc_wspace_sep), NULL);
+			     sizeof(proc_wspace_sep), NULL, &overflow);
 	if (err || neg) {
 		err = -EINVAL;
 		goto out_free;
@@ -3078,10 +3103,10 @@ int proc_do_large_bitmap(struct ctl_table *table, int write,
 		proc_skip_char(&p, &left, '\n');
 		while (!err && left) {
 			unsigned long val_a, val_b;
-			bool neg;
+			bool neg, overflow;
 
 			err = proc_get_long(&p, &left, &val_a, &neg, tr_a,
-					     sizeof(tr_a), &c);
+					     sizeof(tr_a), &c, &overflow);
 			if (err)
 				break;
 			if (val_a >= bitmap_len || neg) {
@@ -3098,7 +3123,7 @@ int proc_do_large_bitmap(struct ctl_table *table, int write,
 			if (c == '-') {
 				err = proc_get_long(&p, &left, &val_b,
 						     &neg, tr_b, sizeof(tr_b),
-						     &c);
+						     &c, &overflow);
 				if (err)
 					break;
 				if (val_b >= bitmap_len || neg ||
-- 
2.17.1


  reply	other threads:[~2018-10-14 13:25 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-14 13:25 [PATCH 0/2] sysctl: cap file-max value at ULONG_MAX Christian Brauner
2018-10-14 13:25 ` Christian Brauner [this message]
2018-10-14 17:18   ` [PATCH 1/2] sysctl: add overflow detection to proc_get_long() Al Viro
2018-10-14 18:53     ` Christian Brauner
2018-10-15  0:03       ` Al Viro
2018-10-15  4:47         ` Christian Brauner
2018-10-14 13:25 ` [PATCH 2/2] sysctl: handle overflow for file-max Christian Brauner
2018-10-14 22:13 [PATCH 1/2] sysctl: add overflow detection to proc_get_long() Alexey Dobriyan
2018-10-14 22:43 ` Christian Brauner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181014132510.25943-2-christian@brauner.io \
    --to=christian@brauner.io \
    --cc=akpm@linux-foundation.org \
    --cc=ebiederm@xmission.com \
    --cc=joe.lawrence@redhat.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=longman@redhat.com \
    --cc=mcgrof@kernel.org \
    --subject='Re: [PATCH 1/2] sysctl: add overflow detection to proc_get_long()' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).