* [PATCH 0/2] sysctl: cap file-max value at ULONG_MAX @ 2018-10-14 13:25 Christian Brauner 2018-10-14 13:25 ` [PATCH 1/2] sysctl: add overflow detection to proc_get_long() Christian Brauner 2018-10-14 13:25 ` [PATCH 2/2] sysctl: handle overflow for file-max Christian Brauner 0 siblings, 2 replies; 9+ messages in thread From: Christian Brauner @ 2018-10-14 13:25 UTC (permalink / raw) To: keescook, linux-kernel Cc: ebiederm, mcgrof, akpm, joe.lawrence, longman, Christian Brauner Hey, Currently, when writing echo 18446744073709551616 > /proc/sys/fs/file-max /proc/sys/fs/file-max will overflow and be set to 0. That quickly crashes the system. Let's detect the overflow and set to ULONG_MAX in this case effectively capping the value. The patch tries to ensure that there is no other user visible change in behavior for other values. Only when a maximum value is set for a specific sysctl will it be capped on overflow. The details are outlined in the commit message of the first commit. (This patchset is in reference to https://lkml.org/lkml/2018/10/11/585.) Thanks! Christian Christian Brauner (2): sysctl: add overflow detection to proc_get_long() sysctl: handle overflow for file-max kernel/sysctl.c | 54 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 42 insertions(+), 12 deletions(-) -- 2.17.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 1/2] sysctl: add overflow detection to proc_get_long() 2018-10-14 13:25 [PATCH 0/2] sysctl: cap file-max value at ULONG_MAX Christian Brauner @ 2018-10-14 13:25 ` Christian Brauner 2018-10-14 17:18 ` Al Viro 2018-10-14 13:25 ` [PATCH 2/2] sysctl: handle overflow for file-max Christian Brauner 1 sibling, 1 reply; 9+ messages in thread From: Christian Brauner @ 2018-10-14 13:25 UTC (permalink / raw) To: keescook, linux-kernel Cc: ebiederm, mcgrof, akpm, joe.lawrence, longman, Christian Brauner proc_get_long() is a funny function. It uses simple_strtoul() and for a good reason. proc_get_long() wants to always succeed the parse and return the maybe incorrect value and the trailing characters to check against a pre-defined list of acceptable trailing values. However, simple_strtoul() doesn not surface overflows when it detects them which is problematic since it can cause funny things like: echo 18446744073709551616 > /proc/sys/fs/file-max cat /proc/sys/fs/file-max 0 (which will cause your system to silently die behind your back.) On the other hand kstrtoul() does do overflow detection but fails the parse in this case, does not return the trailing characters, and also fails the parse when anything other than '\n' is a trailing character whereas proc_get_long() wants to be more lenient in this case. Now, before adding another kstrtoul() function let's simply add a static parse sysctl_strtoul_lenient() which does: - always return a value even if incorrect - reports overflow to the caller - returns the trailing characters to the caller This guarantees that we don't regress userspace in any way but also allows us to adapt callers of proc_get_long() to make decisions what is supposed to happen when overflow was detected. Cc: Kees Cook <keescook@chromium.org> Signed-off-by: Christian Brauner <christian@brauner.io> --- kernel/sysctl.c | 45 +++++++++++++++++++++++++++++++++++---------- 1 file changed, 35 insertions(+), 10 deletions(-) diff --git a/kernel/sysctl.c b/kernel/sysctl.c index cc02050fd0c4..a9409375380c 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -67,6 +67,7 @@ #include <linux/bpf.h> #include <linux/mount.h> #include <linux/pipe_fs_i.h> +#include <../lib/kstrtox.h> #include <linux/uaccess.h> #include <asm/processor.h> @@ -2065,6 +2066,28 @@ static void proc_skip_char(char **buf, size_t *size, const char v) } } +static unsigned long sysctl_strtoul_lenient(const char *cp, char **endp, + unsigned int base, bool *overflow) +{ + unsigned long long result; + unsigned int rv; + + cp = _parse_integer_fixup_radix(cp, &base); + rv = _parse_integer(cp, base, &result); + if ((rv & KSTRTOX_OVERFLOW) || + (result != (unsigned long long)(unsigned long)result)) + *overflow = true; + else + *overflow = false; + + cp += (rv & ~KSTRTOX_OVERFLOW); + + if (endp) + *endp = (char *)cp; + + return result; +} + #define TMPBUFLEN 22 /** * proc_get_long - reads an ASCII formatted integer from a user buffer @@ -2084,7 +2107,8 @@ static void proc_skip_char(char **buf, size_t *size, const char v) */ static int proc_get_long(char **buf, size_t *size, unsigned long *val, bool *neg, - const char *perm_tr, unsigned perm_tr_len, char *tr) + const char *perm_tr, unsigned perm_tr_len, char *tr, + bool *overflow) { int len; char *p, tmp[TMPBUFLEN]; @@ -2108,7 +2132,7 @@ static int proc_get_long(char **buf, size_t *size, if (!isdigit(*p)) return -EINVAL; - *val = simple_strtoul(p, &p, 0); + *val = sysctl_strtoul_lenient(p, &p, 0, overflow); len = p - tmp; @@ -2251,7 +2275,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, for (; left && vleft--; i++, first=0) { unsigned long lval; - bool neg; + bool neg, overflow; if (write) { left -= proc_skip_spaces(&p); @@ -2259,8 +2283,9 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table, if (!left) break; err = proc_get_long(&p, &left, &lval, &neg, - proc_wspace_sep, - sizeof(proc_wspace_sep), NULL); + proc_wspace_sep, + sizeof(proc_wspace_sep), NULL, + &overflow); if (err) break; if (conv(&neg, &lval, i, 1, data)) { @@ -2319,7 +2344,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data, unsigned long lval; int err = 0; size_t left; - bool neg; + bool neg, overflow; char *kbuf = NULL, *p; left = *lenp; @@ -2342,7 +2367,7 @@ static int do_proc_douintvec_w(unsigned int *tbl_data, err = proc_get_long(&p, &left, &lval, &neg, proc_wspace_sep, - sizeof(proc_wspace_sep), NULL); + sizeof(proc_wspace_sep), NULL, &overflow); if (err || neg) { err = -EINVAL; goto out_free; @@ -3078,10 +3103,10 @@ int proc_do_large_bitmap(struct ctl_table *table, int write, proc_skip_char(&p, &left, '\n'); while (!err && left) { unsigned long val_a, val_b; - bool neg; + bool neg, overflow; err = proc_get_long(&p, &left, &val_a, &neg, tr_a, - sizeof(tr_a), &c); + sizeof(tr_a), &c, &overflow); if (err) break; if (val_a >= bitmap_len || neg) { @@ -3098,7 +3123,7 @@ int proc_do_large_bitmap(struct ctl_table *table, int write, if (c == '-') { err = proc_get_long(&p, &left, &val_b, &neg, tr_b, sizeof(tr_b), - &c); + &c, &overflow); if (err) break; if (val_b >= bitmap_len || neg || -- 2.17.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] sysctl: add overflow detection to proc_get_long() 2018-10-14 13:25 ` [PATCH 1/2] sysctl: add overflow detection to proc_get_long() Christian Brauner @ 2018-10-14 17:18 ` Al Viro 2018-10-14 18:53 ` Christian Brauner 0 siblings, 1 reply; 9+ messages in thread From: Al Viro @ 2018-10-14 17:18 UTC (permalink / raw) To: Christian Brauner Cc: keescook, linux-kernel, ebiederm, mcgrof, akpm, joe.lawrence, longman On Sun, Oct 14, 2018 at 03:25:09PM +0200, Christian Brauner wrote: > +static unsigned long sysctl_strtoul_lenient(const char *cp, char **endp, > + unsigned int base, bool *overflow) > +{ > + unsigned long long result; > + unsigned int rv; > + > + cp = _parse_integer_fixup_radix(cp, &base); > + rv = _parse_integer(cp, base, &result); > + if ((rv & KSTRTOX_OVERFLOW) || > + (result != (unsigned long long)(unsigned long)result)) > + *overflow = true; > + else > + *overflow = false; Yecchh... First of all, the cast back to unsigned long long is completely pointless. What's more, if (expr) foo = true; else foo = flase; is a fairly unidiomatic way to spell foo = expr; And... is there anything that would really care if this "overflow" thing had been replaced by simply returning ~0UL on such? That would appear to be a lot more natural API... ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] sysctl: add overflow detection to proc_get_long() 2018-10-14 17:18 ` Al Viro @ 2018-10-14 18:53 ` Christian Brauner 2018-10-15 0:03 ` Al Viro 0 siblings, 1 reply; 9+ messages in thread From: Christian Brauner @ 2018-10-14 18:53 UTC (permalink / raw) To: Al Viro Cc: keescook, linux-kernel, ebiederm, mcgrof, akpm, joe.lawrence, longman On Sun, Oct 14, 2018 at 06:18:55PM +0100, Al Viro wrote: > On Sun, Oct 14, 2018 at 03:25:09PM +0200, Christian Brauner wrote: > > > +static unsigned long sysctl_strtoul_lenient(const char *cp, char **endp, > > + unsigned int base, bool *overflow) > > +{ > > + unsigned long long result; > > + unsigned int rv; > > + > > + cp = _parse_integer_fixup_radix(cp, &base); > > + rv = _parse_integer(cp, base, &result); > > + if ((rv & KSTRTOX_OVERFLOW) || > > + (result != (unsigned long long)(unsigned long)result)) > > + *overflow = true; > > + else > > + *overflow = false; > > Yecchh... First of all, the cast back to unsigned long long is completely > pointless. What's more, Sorry, seriously asking: why? This was meant to handle the case where sizeof(unsigned long long) != sizeof(unsigned long) and I just looked at _kstrtoul() which does the same: int _kstrtoul(const char *s, unsigned int base, unsigned long *res) { unsigned long long tmp; int rv; rv = kstrtoull(s, base, &tmp); if (rv < 0) return rv; if (tmp != (unsigned long long)(unsigned long)tmp) return -ERANGE; *res = tmp; return 0; } Sorry, if I'm being dense here. > if (expr) > foo = true; > else > foo = flase; > is a fairly unidiomatic way to spell foo = expr; > > And... is there anything that would really care if this "overflow" thing had > been replaced by simply returning ~0UL on such? That would appear to be > a lot more natural API... Yes, I thought about this but I really didn't want to risk breaking anything that relies on the weird old behavior. We can change it to that and assume that anything that doesn't explicitly set a maximum value wants to be capped at ULONG_MAX. Fine with me. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] sysctl: add overflow detection to proc_get_long() 2018-10-14 18:53 ` Christian Brauner @ 2018-10-15 0:03 ` Al Viro 2018-10-15 4:47 ` Christian Brauner 0 siblings, 1 reply; 9+ messages in thread From: Al Viro @ 2018-10-15 0:03 UTC (permalink / raw) To: Christian Brauner Cc: keescook, linux-kernel, ebiederm, mcgrof, akpm, joe.lawrence, longman On Sun, Oct 14, 2018 at 08:53:46PM +0200, Christian Brauner wrote: > > Yecchh... First of all, the cast back to unsigned long long is completely > > pointless. What's more, > > Sorry, seriously asking: why? This was meant to handle the case where > sizeof(unsigned long long) != sizeof(unsigned long) and I just looked at > _kstrtoul() which does the same: > > int _kstrtoul(const char *s, unsigned int base, unsigned long *res) > { > unsigned long long tmp; > int rv; > > rv = kstrtoull(s, base, &tmp); > if (rv < 0) > return rv; > if (tmp != (unsigned long long)(unsigned long)tmp) > return -ERANGE; > *res = tmp; > return 0; > } > > Sorry, if I'm being dense here. C quiz: given that type of e1 is unsigned long long and type of e2 - unsigned long, what conversions are going to happen in e1 == e2? [relevant part of C standard: 6.5.9 (Equality operators), 6.3.1.8 (Usual arithmetic conversions)] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] sysctl: add overflow detection to proc_get_long() 2018-10-15 0:03 ` Al Viro @ 2018-10-15 4:47 ` Christian Brauner 0 siblings, 0 replies; 9+ messages in thread From: Christian Brauner @ 2018-10-15 4:47 UTC (permalink / raw) To: Al Viro Cc: keescook, linux-kernel, ebiederm, mcgrof, akpm, joe.lawrence, longman On October 15, 2018 2:03:10 AM GMT+02:00, Al Viro <viro@ZenIV.linux.org.uk> wrote: >On Sun, Oct 14, 2018 at 08:53:46PM +0200, Christian Brauner wrote: > >> > Yecchh... First of all, the cast back to unsigned long long is >completely >> > pointless. What's more, >> >> Sorry, seriously asking: why? This was meant to handle the case where >> sizeof(unsigned long long) != sizeof(unsigned long) and I just looked >at >> _kstrtoul() which does the same: >> >> int _kstrtoul(const char *s, unsigned int base, unsigned long *res) >> { >> unsigned long long tmp; >> int rv; >> >> rv = kstrtoull(s, base, &tmp); >> if (rv < 0) >> return rv; >> if (tmp != (unsigned long long)(unsigned long)tmp) >> return -ERANGE; >> *res = tmp; >> return 0; >> } >> >> Sorry, if I'm being dense here. > >C quiz: > given that type of e1 is unsigned long long and type of e2 - >unsigned long, what conversions are going to happen in e1 == e2? Yeah, I know that. As I said in my reply to Alexey before: I thought you were saying the whole right side of the disjunction was not needed. I also do like the explicit recast and followed what all of the other kstr*() functions are doing. Alexey sent a fix for all of them just a few hours ago [1] which - imho - is really not necessary. There's no harm done by this and it's a fairly widely used pattern. That being said, happy to remove the second explicit cast. [1]: https://lkml.org/lkml/2018/10/15/22 > >[relevant part of C standard: 6.5.9 (Equality operators), >6.3.1.8 (Usual arithmetic conversions)] ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 2/2] sysctl: handle overflow for file-max 2018-10-14 13:25 [PATCH 0/2] sysctl: cap file-max value at ULONG_MAX Christian Brauner 2018-10-14 13:25 ` [PATCH 1/2] sysctl: add overflow detection to proc_get_long() Christian Brauner @ 2018-10-14 13:25 ` Christian Brauner 1 sibling, 0 replies; 9+ messages in thread From: Christian Brauner @ 2018-10-14 13:25 UTC (permalink / raw) To: keescook, linux-kernel Cc: ebiederm, mcgrof, akpm, joe.lawrence, longman, Christian Brauner Currently, when writing echo 18446744073709551616 > /proc/sys/fs/file-max /proc/sys/fs/file-max will overflow and be set to 0. That quickly crashes the system. Let's detect the overflow and set to ULONG_MAX in this case effectively capping the value. Cc: Kees Cook <keescook@chromium.org> Signed-off-by: Christian Brauner <christian@brauner.io> --- kernel/sysctl.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/kernel/sysctl.c b/kernel/sysctl.c index a9409375380c..a3e4321b8ffa 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -127,6 +127,7 @@ static int __maybe_unused one = 1; static int __maybe_unused two = 2; static int __maybe_unused four = 4; static unsigned long one_ul = 1; +static unsigned long ulong_max = ULONG_MAX; static int one_hundred = 100; static int one_thousand = 1000; #ifdef CONFIG_PRINTK @@ -1696,6 +1697,7 @@ static struct ctl_table fs_table[] = { .maxlen = sizeof(files_stat.max_files), .mode = 0644, .proc_handler = proc_doulongvec_minmax, + .extra2 = &ulong_max, }, { .procname = "nr_open", @@ -2789,17 +2791,20 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int unsigned long val; if (write) { - bool neg; + bool neg, overflow; left -= proc_skip_spaces(&p); err = proc_get_long(&p, &left, &val, &neg, proc_wspace_sep, - sizeof(proc_wspace_sep), NULL); + sizeof(proc_wspace_sep), NULL, + &overflow); if (err) break; if (neg) continue; + if (overflow && max) + val = *max; val = convmul * val / convdiv; if ((min && val < *min) || (max && val > *max)) continue; -- 2.17.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] sysctl: add overflow detection to proc_get_long() @ 2018-10-14 22:13 Alexey Dobriyan 2018-10-14 22:43 ` Christian Brauner 0 siblings, 1 reply; 9+ messages in thread From: Alexey Dobriyan @ 2018-10-14 22:13 UTC (permalink / raw) To: christian; +Cc: linux-kernel, viro > > Yecchh... First of all, the cast back to unsigned long long is completely > > pointless. What's more, > > Sorry, seriously asking: why? In C everything is casted to the same type before doing an operation, in this case comparison > This was meant to handle the case where > sizeof(unsigned long long) != sizeof(unsigned long) and I just looked at > _kstrtoul() which does the same: Second cast is unnecessary. I don't remember why I did 2 casts. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/2] sysctl: add overflow detection to proc_get_long() 2018-10-14 22:13 [PATCH 1/2] sysctl: add overflow detection to proc_get_long() Alexey Dobriyan @ 2018-10-14 22:43 ` Christian Brauner 0 siblings, 0 replies; 9+ messages in thread From: Christian Brauner @ 2018-10-14 22:43 UTC (permalink / raw) To: Alexey Dobriyan; +Cc: linux-kernel, viro, longman On October 15, 2018 12:13:25 AM GMT+02:00, Alexey Dobriyan <adobriyan@gmail.com> wrote: >> > Yecchh... First of all, the cast back to unsigned long long is >completely >> > pointless. What's more, >> >> Sorry, seriously asking: why? > >In C everything is casted to the same type before doing an operation, Oh, ok that's what we're talking about. I thought the whole check is pointless. I didn't read careful enough apparently. Tbh, even if the second cast is not necessary it makes implicit behavior explicit. I've also seen this form more than the one without the explicit cast. But I won't fight it. If other people prefer it without the second cast; fine. >in this case comparison > >> This was meant to handle the case where >> sizeof(unsigned long long) != sizeof(unsigned long) and I just looked >at >> _kstrtoul() which does the same: > >Second cast is unnecessary. I don't remember why I did 2 casts. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2018-10-15 4:47 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-10-14 13:25 [PATCH 0/2] sysctl: cap file-max value at ULONG_MAX Christian Brauner 2018-10-14 13:25 ` [PATCH 1/2] sysctl: add overflow detection to proc_get_long() Christian Brauner 2018-10-14 17:18 ` Al Viro 2018-10-14 18:53 ` Christian Brauner 2018-10-15 0:03 ` Al Viro 2018-10-15 4:47 ` Christian Brauner 2018-10-14 13:25 ` [PATCH 2/2] sysctl: handle overflow for file-max Christian Brauner 2018-10-14 22:13 [PATCH 1/2] sysctl: add overflow detection to proc_get_long() Alexey Dobriyan 2018-10-14 22:43 ` Christian Brauner
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).