lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1506435684-3163-1-git-send-email-joe.lawrence@redhat.com>
Date:   Tue, 26 Sep 2017 10:21:21 -0400
From:   Joe Lawrence <joe.lawrence@...hat.com>
To:     linux-kernel@...r.kernel.org
Cc:     Mikulas Patocka <mpatocka@...hat.com>,
        Michael Kerrisk <mtk.manpages@...il.com>,
        Randy Dunlap <rdunlap@...radead.org>
Subject: [PATCH 0/3] A few round_pipe_size() and pipe-max-size fixups

While backporting Michael's "pipe: fix limit handling" patchset to a
distro-kernel, Mikulas noticed that current upstream pipe limit handling
contains a few problems:

  1 - procfs signed wrap: echo'ing a large number into
      /proc/sys/fs/pipe-max-size and then cat'ing it back out shows a
      negative value.

  2 - round_pipe_size() nr_pages overflow on 32bit:  this would
      subsequently try roundup_pow_of_two(0), which is undefined.

  3 - visible non-rounded pipe-max-size value: there is no mutual
      exclusion or protection between the time pipe_max_size is assigned
      a raw value from proc_dointvec_minmax() and when it is rounded.

v1 (differences from initial rfc):

- Re-arrange patchset order, push smaller fixes to the front

- Add a check so that round_pipe_size(size < pipe_min_size) will round
  up to round_pipe_size(pipe_min_size) as per man page [RD]

- Add new procfs proc_dopipe_max_size() and helpers to consolidate user
  space read / type validation / rounding / assignment [MP]


Testing
=======

Tests run on both 32 and 64-bit kernels.


Patch 1 - procfs signed wrap
----------------------------
Before:

  % echo 2147483647 >/proc/sys/fs/pipe-max-size
  % cat /proc/sys/fs/pipe-max-size
  -2147483648

After:

  % echo 2147483647 >/proc/sys/fs/pipe-max-size
  % cat /proc/sys/fs/pipe-max-size
  2147483648


Patch 2 - 32bit overflow
------------------------
>From userspace:

  fcntl(fd, F_SETPIPE_SZ, 0xffffffff);

- Before: return value was 4096 (due to overflow) and was set to 4096
- After: returns -1 and sets errno EINVAL, pipe size remains untouched


Patch 3 - non-rounded pipe-max-size value
-----------------------------------------
Keep plugging in values that need to be rounded:

  while (true); do echo 1048570 > /proc/sys/fs/pipe-max-size; done

and in another terminal, loop around reading the value:

  time (while (true); do SIZE=$(cat /proc/sys/fs/pipe-max-size); [[ $(( $SIZE % 4096 )) -ne 0 ]] && break; done; echo "$SIZE")
  1048570

  real    0m46.213s
  user    0m29.688s
  sys     0m20.042s

- Before: found a non-rounded value within a few minutes
- After:  never encountered a non-page-rounded value


Joe Lawrence (3):
  pipe: match pipe_max_size data type with procfs
  pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
  pipe: add proc_dopipe_max_size() to safely assign pipe_max_size

 fs/pipe.c                 | 21 +++++++++++----------
 include/linux/pipe_fs_i.h |  1 +
 include/linux/sysctl.h    |  3 +++
 kernel/sysctl.c           | 45 ++++++++++++++++++++++++++++++++++++++++++++-
 4 files changed, 59 insertions(+), 11 deletions(-)

-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ