lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <32934D05-E7A7-4A2C-92EF-96A0580F2234@tonyibbs.co.uk>
Date:	Fri, 15 Apr 2011 22:34:53 +0100
From:	Tony Ibbs <tibs@...yibbs.co.uk>
To:	Jonathan Corbet <corbet@....net>
Cc:	Grant Likely <grant.likely@...retlab.ca>,
	lkml <linux-kernel@...r.kernel.org>,
	Linux-embedded <linux-embedded@...r.kernel.org>,
	Tibs at Kynesim <tibs@...esim.co.uk>,
	Richard Watts <rrw@...esim.co.uk>
Subject: [PATCH] extra/1 Allow setting the maximum KBUS message size


On 22 Mar 2011, at 19:36, Jonathan Corbet wrote:

> - Does anything bound the size of a message fed into the kernel with
>  write()?  I couldn't find it.  It seems like an application could
>  consume arbitrary amounts of kernel memory.

This patch provides mechanisms for setting an absolute maximum message
size at compile time, and a per-device maximum at runtime.

The patch is relative to the results of the previous set of patches - I
assume this is better than resubmitting all of them for what is a
relatively small change.

> - It would be good to use the kernel's dynamic debugging and tracing
>  facilities rather than rolling your own.
>
> - There's lots of kmalloc()/memset() pairs that could be kzalloc().

I shall address these next, although I'm afraid it may be a few days.
Thanks, by the way, for the timely LWN article on the dynamic debugging
interface.

Signed-off-by: Tony Ibbs <tibs@...yibbs.co.uk>
---
 Documentation/Kbus.txt     |   15 ++++++++++-
 include/linux/kbus_defns.h |   14 ++++++++++-
 ipc/Kconfig                |   32 ++++++++++++++++++++++++-
 ipc/kbus_internal.h        |   11 ++++++++
 ipc/kbus_main.c            |   57 ++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 126 insertions(+), 3 deletions(-)

diff --git a/Documentation/Kbus.txt b/Documentation/Kbus.txt
index 7cf723fd6..16828b9 100644
--- a/Documentation/Kbus.txt
+++ b/Documentation/Kbus.txt
@@ -1058,6 +1058,18 @@ header file (``kbus_defns.h``). They are:
                 Both Python and C bindings provide a useful function to
                 extract the ``is_bind``, ``binder`` and ``name`` values from
                 the data.
+:MAXMSGSIZE:    Set the maximum size of a KBUS message for this KBUS device,
+                and return the value that is set. This is the size of the
+                largest message that may be written to a KBUS Ksock. Trying
+                to write a longer message will result in an -EMSGSIZE error.
+                An attempt to set this value of 0 will just return the current
+                maximum size. Otherwise, the size requested may not be less
+                than 100, or more than the kernel configuration value
+                KBUS_ABS_MAX_MESSAGE_SIZE.  The default maximum size is set by
+                the kernel configuration value KBUS_DEF_MAX_MESSAGE_SIZE, and
+                is typically 1024.  The size being tested is that returned by
+                the KBUS_ENTIRE_MESSAGE_LEN macro - i.e., the size of an
+                equivalent "entire" message.
 
 /proc/kbus/bindings
 -------------------
@@ -1158,7 +1170,8 @@ as values inside the IOError exception.
 :EINVAL:        Something went wrong (generic error).
 :EMSGSIZE:      On attempting to write a message: Data was written after
                 the end of the message (i.e., after the final end guard
-                of the message).
+                of the message), or an attempt was made to write a message
+                that is too long (see the MAXMSGSIZE ioctl).
 :ENAMETOOLONG:  On attempting to bind, unbind or send a message: The message
                 name is too long.
 :ENOENT:        On attempting to open a Ksock: There is no such device
diff --git a/include/linux/kbus_defns.h b/include/linux/kbus_defns.h
index 82779a6..29f6f99 100644
--- a/include/linux/kbus_defns.h
+++ b/include/linux/kbus_defns.h
@@ -655,9 +655,21 @@ struct kbus_replier_bind_event_data {
  * of the specified values)
  */
 #define KBUS_IOC_REPORTREPLIERBINDS  _IOWR(KBUS_IOC_MAGIC, 17, char *)
+/*
+ * MAXMSGSIZE - set the maximum size of a KBUS message for this KBUS device.
+ * This may not be set to less than 100, or more than
+ * CONFIG_KBUS_ABS_MAX_MESSAGE_SIZE.
+ * arg (in): __u32, the requested maximum message size, or 0 to just
+ *           request what the current limit is, 1 to request the absolute
+ *           maximum size.
+ * arg (out): __u32, the maximum essage size after this call has
+ *            succeeded
+ * retval: 0 for success, negative for failure
+ */
+#define KBUS_IOC_MAXMSGSIZE _IOWR(KBUS_IOC_MAGIC, 18, char *)
 
 /* If adding another IOCTL, remember to increment the next number! */
-#define KBUS_IOC_MAXNR	17
+#define KBUS_IOC_MAXNR	18
 
 #if !__KERNEL__ && defined(__cplusplus)
 }
diff --git a/ipc/Kconfig b/ipc/Kconfig
index 808d742..603b2f6 100644
--- a/ipc/Kconfig
+++ b/ipc/Kconfig
@@ -113,5 +113,35 @@ config KBUS_MAX_UNSENT_UNBIND_MESSAGES
 
 	  If unsure, choose the default.
 
-endif # KBUS
+config KBUS_ABS_MAX_MESSAGE_SIZE
+	int "Absolute maximum KBUS mesage size"
+	default 1024
+	range 100 2147483647
+	---help---
+	  This sets the absolute maximum size of an individual KBUS message,
+	  that is, the size of the largest KBUS message that may be written
+	  to a KBUS device node.
+
+	  It is not possible to set the maximum message size greater than
+	  this value using the KBUS_IOC_MAXMSGSIZE ioctl.
 
+	  The size is measured as by the KBUS_ENTIRE_MSG_LEN macro, and
+	  includes the message header (80 bytes on a 32-bit system).
+
+config KBUS_DEF_MAX_MESSAGE_SIZE
+	int "Default maximum KBUS mesage size"
+	default 1024
+	range 100 KBUS_ABS_MAX_MESSAGE_SIZE
+	---help---
+	  This sets the default maximum size of an individual KBUS message,
+	  that is, the size of the largest KBUS message that may be written
+	  to a KBUS device node.
+
+	  It may be altered at runtime, for a particular KBUS device, with
+	  the KBUS_IOC_MAXMSGSIZE ioctl, up to a limit of
+	  KBUS_ABS_MAX_MESSAGE_SIZE.
+
+	  The size is measured as by the KBUS_ENTIRE_MSG_LEN macro, and
+	  includes the message header (80 bytes on a 32-bit system).
+
+endif # KBUS
diff --git a/ipc/kbus_internal.h b/ipc/kbus_internal.h
index a24fcaf..51d512c 100644
--- a/ipc/kbus_internal.h
+++ b/ipc/kbus_internal.h
@@ -86,6 +86,14 @@
 #define CONFIG_KBUS_DEF_NUM_DEVICES	1
 #endif
 
+#ifndef CONFIG_KBUS_ABS_MAX_MESSAGE_SIZE
+#define CONFIG_KBUS_ABS_MAX_MESSAGE_SIZE 1024
+#endif
+
+#ifndef CONFIG_KBUS_DEF_MAX_MESSAGE_SIZE
+#define CONFIG_KBUS_DEF_MAX_MESSAGE_SIZE 1024
+#endif
+
 /*
  * Our initial array sizes could arguably be made configurable
  * for tuning, if we discover this is useful
@@ -685,6 +693,9 @@ struct kbus_dev {
 	struct list_head unsent_unbind_msg_list;
 	u32 unsent_unbind_msg_count;
 	int unsent_unbind_is_tragic;
+
+	/* The maximum message size that may be written to this device */
+	u32 max_message_size;
 };
 
 /*
diff --git a/ipc/kbus_main.c b/ipc/kbus_main.c
index e99bfca..64f863a 100644
--- a/ipc/kbus_main.c
+++ b/ipc/kbus_main.c
@@ -615,6 +615,8 @@ static int kbus_check_message_written(struct kbus_dev *dev,
 	struct kbus_message_header *user_msg =
 	    (struct kbus_message_header *)&this->user_msg;
 
+	int	msg_size;
+
 	if (this == NULL) {
 		dev_err(dev->dev, "pid %u [%s]"
 		       " Tried to check NULL message\n",
@@ -683,6 +685,15 @@ static int kbus_check_message_written(struct kbus_dev *dev,
 		       current->pid, current->comm);
 		return -EINVAL;
 	}
+
+	msg_size = KBUS_ENTIRE_MSG_LEN(user_msg->name_len, user_msg->data_len);
+	if (msg_size > dev->max_message_size) {
+		dev_err(dev->dev, "pid %u [%s]"
+			"Message size is %d, more than the maximum %d\n",
+			current->pid, current->comm,
+			msg_size, dev->max_message_size);
+		return -EMSGSIZE;
+	}
 	return 0;
 }
 
@@ -4150,6 +4161,39 @@ static int kbus_set_report_binds(struct kbus_private_data *priv,
 	return __put_user(old_value, (u32 __user *) arg);
 }
 
+static int kbus_maxmsgsize(struct kbus_private_data *priv,
+			   unsigned long arg)
+{
+	int retval = 0;
+	u32 requested_max;
+
+	retval = __get_user(requested_max, (u32 __user *) arg);
+	if (retval)
+		return retval;
+
+	kbus_maybe_dbg(priv->dev, "%u MAXMSGSIZE requests %u (was %u)\n",
+		       priv->id, requested_max, priv->dev->max_message_size);
+
+	dev_dbg(priv->dev->dev, "    abs max %d, def max %d\n",
+		CONFIG_KBUS_ABS_MAX_MESSAGE_SIZE,
+		CONFIG_KBUS_DEF_MAX_MESSAGE_SIZE);
+
+	/* A value of 0 is a query for the current length */
+	/* A value of 1 is a query for the absolute maximum */
+	if (requested_max == 0)
+		return __put_user(priv->dev->max_message_size,
+				  (u32 __user *) arg);
+	else if (requested_max == 1)
+		return __put_user(CONFIG_KBUS_ABS_MAX_MESSAGE_SIZE,
+				  (u32 __user *) arg);
+	else if (requested_max < 100 ||
+		 requested_max > CONFIG_KBUS_ABS_MAX_MESSAGE_SIZE)
+		return -EINVAL;
+
+	priv->dev->max_message_size = requested_max;
+	return __put_user(priv->dev->max_message_size, (u32 __user *) arg);
+}
+
 static long kbus_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 {
 	int err = 0;
@@ -4357,6 +4401,18 @@ static long kbus_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 		retval = kbus_set_report_binds(priv, dev, arg);
 		break;
 
+	case KBUS_IOC_MAXMSGSIZE:
+		/*
+		 * Set (and/or query) maximum message size
+		 *
+		 * arg in: 0 or 1 (for query of current maximum or absolute
+		 * maximu) or maximum size wanted
+		 * arg out: maximum size allowed
+		 * return: 0 means OK, otherwise not OK
+		 */
+		retval = kbus_maxmsgsize(priv, arg);
+		break;
+
 	default:
 		/* *Should* be redundant, if we got our range checks right */
 		retval = -ENOTTY;
@@ -4545,6 +4601,7 @@ static int kbus_setup_new_device(int which)
 	new->index = which;
 
 	new->verbose = KBUS_DEFAULT_VERBOSE_SETTING;
+	new->max_message_size = CONFIG_KBUS_DEF_MAX_MESSAGE_SIZE;
 
 	new->dev = device_create(kbus_class_p, NULL,
 				 this_devno, NULL, "kbus%d", which);
-- 
1.7.4.1


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ