| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 07 Jun 2018 15:05:21 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC: akpm@...ux-foundation.org,
"Michael Kerrisk" <mtk.manpages@...il.com>,
"Kees Cook" <keescook@...omium.org>,
"Mikulas Patocka" <mpatocka@...hat.com>,
"Eric Biggers" <ebiggers@...gle.com>,
"Joe Lawrence" <joe.lawrence@...hat.com>,
"Willy Tarreau" <w@....eu>,
"Alexander Viro" <viro@...iv.linux.org.uk>,
"Luis R . Rodriguez" <mcgrof@...nel.org>,
"Linus Torvalds" <torvalds@...ux-foundation.org>
Subject: [PATCH 3.16 214/410] pipe: reject F_SETPIPE_SZ with size over
UINT_MAX
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@...gle.com>
commit 96e99be40e4cff870a83233731121ec0f7f95075 upstream.
A pipe's size is represented as an 'unsigned int'. As expected, writing a
value greater than UINT_MAX to /proc/sys/fs/pipe-max-size fails with
EINVAL. However, the F_SETPIPE_SZ fcntl silently truncates such values to
32 bits, rather than failing with EINVAL as expected. (It *does* fail
with EINVAL for values above (1 << 31) but <= UINT_MAX.)
Fix this by moving the check against UINT_MAX into round_pipe_size() which
is called in both cases.
Link: http://lkml.kernel.org/r/20180111052902.14409-6-ebiggers3@gmail.com
Signed-off-by: Eric Biggers <ebiggers@...gle.com>
Acked-by: Kees Cook <keescook@...omium.org>
Acked-by: Joe Lawrence <joe.lawrence@...hat.com>
Cc: Alexander Viro <viro@...iv.linux.org.uk>
Cc: "Luis R . Rodriguez" <mcgrof@...nel.org>
Cc: Michael Kerrisk <mtk.manpages@...il.com>
Cc: Mikulas Patocka <mpatocka@...hat.com>
Cc: Willy Tarreau <w@....eu>
Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
fs/pipe.c | 5 ++++-
include/linux/pipe_fs_i.h | 2 +-
kernel/sysctl.c | 3 ---
3 files changed, 5 insertions(+), 5 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1008,10 +1008,13 @@ const struct file_operations pipefifo_fo
* Currently we rely on the pipe array holding a power-of-2 number
* of pages. Returns 0 on error.
*/
-unsigned int round_pipe_size(unsigned int size)
+unsigned int round_pipe_size(unsigned long size)
{
unsigned long nr_pages;
+ if (size > UINT_MAX)
+ return 0;
+
/* Minimum pipe size, as required by POSIX */
if (size < PAGE_SIZE)
size = PAGE_SIZE;
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -148,6 +148,6 @@ long pipe_fcntl(struct file *, unsigned
struct pipe_inode_info *get_pipe_info(struct file *file);
int create_pipe_files(struct file **, int);
-unsigned int round_pipe_size(unsigned int size);
+unsigned int round_pipe_size(unsigned long size);
#endif
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2230,9 +2230,6 @@ static int do_proc_dopipe_max_size_conv(
if (write) {
unsigned int val;
- if (*lvalp > UINT_MAX)
- return -EINVAL;
-
val = round_pipe_size(*lvalp);
if (*negp || val == 0)
return -EINVAL;
Powered by blists - more mailing lists