| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211209085635.1288737-1-libaokun1@huawei.com>
Date: Thu, 9 Dec 2021 16:56:35 +0800
From: Baokun Li <libaokun1@...wei.com>
To: <mcgrof@...nel.org>, <keescook@...omium.org>, <yzaikin@...gle.com>
CC: <linux-kernel@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>,
<libaokun1@...wei.com>, <yukuai3@...wei.com>,
Hulk Robot <hulkci@...wei.com>
Subject: [PATCH -next] sysctl: returns -EINVAL when a negative value is passed to proc_doulongvec_minmax
When we pass a negative value to the proc_doulongvec_minmax() function,
the function returns 0, but the corresponding interface value does not
change.
we can easily reproduce this problem with the following commands:
`cd /proc/sys/fs/epoll`
`echo -1 > max_user_watches; echo $?; cat max_user_watches`
This function requires a non-negative number to be passed in, so when
a negative number is passed in, -EINVAL is returned.
Reported-by: Hulk Robot <hulkci@...wei.com>
Signed-off-by: Baokun Li <libaokun1@...wei.com>
---
kernel/sysctl.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 7f07b058b180..537d2f75faa0 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1149,10 +1149,9 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table,
sizeof(proc_wspace_sep), NULL);
if (err)
break;
- if (neg)
- continue;
+
val = convmul * val / convdiv;
- if ((min && val < *min) || (max && val > *max)) {
+ if (neg || (min && val < *min) || (max && val > *max)) {
err = -EINVAL;
break;
}
--
2.31.1
Powered by blists - more mailing lists