lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a451bb84-4a38-b00c-5bbb-dbaf914b8788@gmail.com>
Date:   Sat, 20 Aug 2016 08:56:50 +1200
From:   "Michael Kerrisk (man-pages)" <mtk.manpages@...il.com>
To:     Vegard Nossum <vegard.nossum@...cle.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Cc:     mtk.manpages@...il.com, Willy Tarreau <w@....eu>,
        socketpair@...il.com,
        Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>,
        Jens Axboe <axboe@...com>, Al Viro <viro@...iv.linux.org.uk>,
        linux-api@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 4/8] pipe: fix limit checking in pipe_set_size()

Hi Vegard,

On 08/19/2016 08:30 PM, Vegard Nossum wrote:
> On 08/19/2016 07:25 AM, Michael Kerrisk (man-pages) wrote:
>> The limit checking in pipe_set_size() (used by fcntl(F_SETPIPE_SZ))
>> has the following problems:
> [...]
>> @@ -1030,6 +1030,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
>>   {
>>   	struct pipe_buffer *bufs;
>>   	unsigned int size, nr_pages;
>> +	long ret = 0;
>>
>>   	size = round_pipe_size(arg);
>>   	nr_pages = size >> PAGE_SHIFT;
>> @@ -1037,13 +1038,26 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
>>   	if (!nr_pages)
>>   		return -EINVAL;
>>
>> -	if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size)
>> -		return -EPERM;
>> +	account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
>>
>> -	if ((too_many_pipe_buffers_hard(pipe->user) ||
>> -			too_many_pipe_buffers_soft(pipe->user)) &&
>> -			!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
>> -		return -EPERM;
>> +	/*
>> +	 * If trying to increase the pipe capacity, check that an
>> +	 * unprivileged user is not trying to exceed various limits.
>> +	 * (Decreasing the pipe capacity is always permitted, even
>> +	 * if the user is currently over a limit.)
>> +	 */
>> +	if (nr_pages > pipe->buffers) {
>> +		if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
>> +			ret = -EPERM;
>> +			goto out_revert_acct;
>> +		} else if ((too_many_pipe_buffers_hard(pipe->user) ||
>> +				too_many_pipe_buffers_soft(pipe->user)) &&
>> +				!capable(CAP_SYS_RESOURCE) &&
>> +				!capable(CAP_SYS_ADMIN)) {
>> +			ret = -EPERM;
>> +			goto out_revert_acct;
>> +		}
>> +	}
> 
> I'm slightly worried about not checking arg/nr_pages before we pass it
> on to account_pipe_buffers().
> 
> The potential problem happens if the user passes a very large number
> which will overflow pipe->user->pipe_bufs.
> 
> On 32-bit, sizeof(int) == sizeof(long), so if they pass arg = INT_MAX
> then round_pipe_size() returns INT_MAX. Although it's true that the
> accounting is done in terms of pages and not bytes, so you'd need on the
> order of (1 << 13) = 8192 processes hitting the limit at the same time
> in order to make it overflow, which seems a bit unlikely.
> 
> (See https://lkml.org/lkml/2016/8/12/215 for another discussion on the
> limit checking)
> 
> Is there any reason why we couldn't do the (size > pipe_max_size) check
> before calling account_pipe_buffers()?

No reason that I can see. Just a little more work to be done in the
code, I think.

Cheers,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ