| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Sep 2017 10:21:21 -0400
From: Joe Lawrence <joe.lawrence@...hat.com>
To: linux-kernel@...r.kernel.org
Cc: Mikulas Patocka <mpatocka@...hat.com>,
Michael Kerrisk <mtk.manpages@...il.com>,
Randy Dunlap <rdunlap@...radead.org>
Subject: [PATCH 0/3] A few round_pipe_size() and pipe-max-size fixups
While backporting Michael's "pipe: fix limit handling" patchset to a
distro-kernel, Mikulas noticed that current upstream pipe limit handling
contains a few problems:
1 - procfs signed wrap: echo'ing a large number into
/proc/sys/fs/pipe-max-size and then cat'ing it back out shows a
negative value.
2 - round_pipe_size() nr_pages overflow on 32bit: this would
subsequently try roundup_pow_of_two(0), which is undefined.
3 - visible non-rounded pipe-max-size value: there is no mutual
exclusion or protection between the time pipe_max_size is assigned
a raw value from proc_dointvec_minmax() and when it is rounded.
v1 (differences from initial rfc):
- Re-arrange patchset order, push smaller fixes to the front
- Add a check so that round_pipe_size(size < pipe_min_size) will round
up to round_pipe_size(pipe_min_size) as per man page [RD]
- Add new procfs proc_dopipe_max_size() and helpers to consolidate user
space read / type validation / rounding / assignment [MP]
Testing
=======
Tests run on both 32 and 64-bit kernels.
Patch 1 - procfs signed wrap
----------------------------
Before:
% echo 2147483647 >/proc/sys/fs/pipe-max-size
% cat /proc/sys/fs/pipe-max-size
-2147483648
After:
% echo 2147483647 >/proc/sys/fs/pipe-max-size
% cat /proc/sys/fs/pipe-max-size
2147483648
Patch 2 - 32bit overflow
------------------------
>From userspace:
fcntl(fd, F_SETPIPE_SZ, 0xffffffff);
- Before: return value was 4096 (due to overflow) and was set to 4096
- After: returns -1 and sets errno EINVAL, pipe size remains untouched
Patch 3 - non-rounded pipe-max-size value
-----------------------------------------
Keep plugging in values that need to be rounded:
while (true); do echo 1048570 > /proc/sys/fs/pipe-max-size; done
and in another terminal, loop around reading the value:
time (while (true); do SIZE=$(cat /proc/sys/fs/pipe-max-size); [[ $(( $SIZE % 4096 )) -ne 0 ]] && break; done; echo "$SIZE")
1048570
real 0m46.213s
user 0m29.688s
sys 0m20.042s
- Before: found a non-rounded value within a few minutes
- After: never encountered a non-page-rounded value
Joe Lawrence (3):
pipe: match pipe_max_size data type with procfs
pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
pipe: add proc_dopipe_max_size() to safely assign pipe_max_size
fs/pipe.c | 21 +++++++++++----------
include/linux/pipe_fs_i.h | 1 +
include/linux/sysctl.h | 3 +++
kernel/sysctl.c | 45 ++++++++++++++++++++++++++++++++++++++++++++-
4 files changed, 59 insertions(+), 11 deletions(-)
--
1.8.3.1
Powered by blists - more mailing lists