lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 13 May 2021 17:06:48 +0100
From:   "Matthew Wilcox (Oracle)" <willy@...radead.org>
To:     linux-kernel@...r.kernel.org, Josef Bacik <josef@...icpanda.com>,
        Christoph Hellwig <hch@....de>,
        Al Viro <viro@...iv.linux.org.uk>,
        Kees Cook <keescook@...omium.org>
Cc:     "Matthew Wilcox (Oracle)" <willy@...radead.org>,
        linux-abi@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        Alexey Dobriyan <adobriyan@...il.com>
Subject: [PATCH] sysctl: Limit the size of I/Os to PAGE_SIZE

We currently allow a read or a write that is up to KMALLOC_MAX_SIZE.
This has caused problems when cat decides to do a 64kB read and
so we allocate a 64kB buffer for the sysctl handler to store into.
The immediate problem was fixed by switching to kvmalloc(), but it's
ridiculous to allocate so much memory to read what is likely to be a
few bytes.

sysfs limits reads and writes to PAGE_SIZE, and I feel we should do the
same for sysctl.  The largest sysctl anyone's been able to come up with
is 433 bytes for /proc/sys/dev/cdrom/info

This will allow simplifying the BPF sysctl code later, but I'll leave
that for someone who understands it better.

Signed-off-by: Matthew Wilcox (Oracle) <willy@...radead.org>
---
 fs/proc/proc_sysctl.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index dea0f5ee540c..a97a8a4ff270 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -562,11 +562,14 @@ static ssize_t proc_sys_call_handler(struct kiocb *iocb, struct iov_iter *iter,
 	if (!table->proc_handler)
 		goto out;
 
-	/* don't even try if the size is too large */
+	/* reads may return short values; large writes must fail now */
+	if (count >= PAGE_SIZE) {
+		if (write)
+			goto out;
+		count = PAGE_SIZE;
+	}
 	error = -ENOMEM;
-	if (count >= KMALLOC_MAX_SIZE)
-		goto out;
-	kbuf = kvzalloc(count + 1, GFP_KERNEL);
+	kbuf = kmalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!kbuf)
 		goto out;
 
@@ -582,12 +585,12 @@ static ssize_t proc_sys_call_handler(struct kiocb *iocb, struct iov_iter *iter,
 	if (error)
 		goto out_free_buf;
 
-	/* careful: calling conventions are nasty here */
 	error = table->proc_handler(table, write, kbuf, &count, &iocb->ki_pos);
 	if (error)
 		goto out_free_buf;
 
 	if (!write) {
+		/* Give BPF the chance to override a read result here? */
 		error = -EFAULT;
 		if (copy_to_iter(kbuf, count, iter) < count)
 			goto out_free_buf;
@@ -595,7 +598,7 @@ static ssize_t proc_sys_call_handler(struct kiocb *iocb, struct iov_iter *iter,
 
 	error = count;
 out_free_buf:
-	kvfree(kbuf);
+	kfree(kbuf);
 out:
 	sysctl_head_finish(head);
 
-- 
2.30.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ