linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Waiman Long <longman@redhat.com>
To: Christian Brauner <christian@brauner.io>,
	keescook@chromium.org, linux-kernel@vger.kernel.org
Cc: ebiederm@xmission.com, mcgrof@kernel.org,
	akpm@linux-foundation.org, joe.lawrence@redhat.com,
	linux@dominikbrodowski.net, viro@zeniv.linux.org.uk
Subject: Re: [PATCH v1 2/2] sysctl: handle overflow for file-max
Date: Tue, 16 Oct 2018 11:13:28 -0400	[thread overview]
Message-ID: <22319ca1-6dab-fe36-40d5-9c88f7a175ee@redhat.com> (raw)
In-Reply-To: <20181015105544.4395-3-christian@brauner.io>

On 10/15/2018 06:55 AM, Christian Brauner wrote:
> Currently, when writing
>
> echo 18446744073709551616 > /proc/sys/fs/file-max
>
> /proc/sys/fs/file-max will overflow and be set to 0. That quickly
> crashes the system.
> This commit explicitly caps the value for file-max to ULONG_MAX.
>
> Note, this isn't technically necessary since proc_get_long() will already
> return ULONG_MAX. However, two reason why we still should do this:
> 1. it makes it explicit what the upper bound of file-max is instead of
>    making readers of the code infer it from proc_get_long() themselves
> 2. other tunebles than file-max may want to set a lower max value than
>    ULONG_MAX and we need to enable __do_proc_doulongvec_minmax() to handle
>    such cases too
>
> Cc: Kees Cook <keescook@chromium.org>
> Signed-off-by: Christian Brauner <christian@brauner.io>
> ---
> v0->v1:
> - if max value is < than ULONG_MAX use max as upper bound
> - (Dominik) remove double "the" from commit message
> ---
>  kernel/sysctl.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 97551eb42946..226d4eaf4b0e 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -127,6 +127,7 @@ static int __maybe_unused one = 1;
>  static int __maybe_unused two = 2;
>  static int __maybe_unused four = 4;
>  static unsigned long one_ul = 1;
> +static unsigned long ulong_max = ULONG_MAX;
>  static int one_hundred = 100;
>  static int one_thousand = 1000;
>  #ifdef CONFIG_PRINTK
> @@ -1696,6 +1697,7 @@ static struct ctl_table fs_table[] = {
>  		.maxlen		= sizeof(files_stat.max_files),
>  		.mode		= 0644,
>  		.proc_handler	= proc_doulongvec_minmax,
> +		.extra2		= &ulong_max,

What is the point of having a maximum value of ULONG_MAX anyway? No
value you can put into a ulong type can be bigger than that.

>  	},
>  	{
>  		.procname	= "nr_open",
> @@ -2795,6 +2797,8 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
>  				break;
>  			if (neg)
>  				continue;
> +			if (max && val > *max)
> +				val = *max;
>  			val = convmul * val / convdiv;
>  			if ((min && val < *min) || (max && val > *max))
>  				continue;

This does introduce a change in behavior. Previously the out-of-bound
value is ignored, now it is capped at its maximum. This is a
user-visible change.

Cheers,
Longman



  parent reply	other threads:[~2018-10-16 15:13 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-15 10:55 [PATCH v1 0/2] sysctl: cap file-max value at ULONG_MAX Christian Brauner
2018-10-15 10:55 ` [PATCH v1 1/2] sysctl: cap to ULONG_MAX in proc_get_long() Christian Brauner
2018-10-15 16:18   ` Kees Cook
2018-10-15 16:30     ` Christian Brauner
2018-10-15 19:01       ` Christian Brauner
2018-10-15 10:55 ` [PATCH v1 2/2] sysctl: handle overflow for file-max Christian Brauner
2018-10-15 16:11   ` Kees Cook
2018-10-15 16:28     ` Christian Brauner
2018-10-15 21:20       ` Kees Cook
2018-10-16 13:16         ` Christian Brauner
2018-10-16 14:38           ` Christian Brauner
2018-10-16 15:13   ` Waiman Long [this message]
2018-10-16 15:21     ` Christian Brauner
2018-10-16 15:25       ` Waiman Long
2018-10-16 15:29         ` Christian Brauner
2018-10-16 15:33           ` Christian Brauner
2018-10-16 15:34           ` Waiman Long
2018-10-16 15:40             ` Christian Brauner
2018-10-16 15:44               ` Waiman Long
2018-10-16 15:47                 ` Christian Brauner
2018-10-16 15:53                   ` Waiman Long
2018-10-16 15:59                     ` Christian Brauner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=22319ca1-6dab-fe36-40d5-9c88f7a175ee@redhat.com \
    --to=longman@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=christian@brauner.io \
    --cc=ebiederm@xmission.com \
    --cc=joe.lawrence@redhat.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@dominikbrodowski.net \
    --cc=mcgrof@kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).