lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Yb+kHuIFnCKcfM5l@bombadil.infradead.org>
Date:   Sun, 19 Dec 2021 13:29:02 -0800
From:   Luis Chamberlain <mcgrof@...nel.org>
To:     Baokun Li <libaokun1@...wei.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Cc:     keescook@...omium.org, yzaikin@...gle.com,
        linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        yukuai3@...wei.com, Hulk Robot <hulkci@...wei.com>
Subject: Re: [PATCH -next] sysctl: returns -EINVAL when a negative value is
 passed to proc_doulongvec_minmax

On Thu, Dec 09, 2021 at 04:56:35PM +0800, Baokun Li wrote:
> When we pass a negative value to the proc_doulongvec_minmax() function,
> the function returns 0, but the corresponding interface value does not
> change.
> 
> we can easily reproduce this problem with the following commands:
>     `cd /proc/sys/fs/epoll`
>     `echo -1 > max_user_watches; echo $?; cat max_user_watches`
> 
> This function requires a non-negative number to be passed in, so when
> a negative number is passed in, -EINVAL is returned.
> 
> Reported-by: Hulk Robot <hulkci@...wei.com>
> Signed-off-by: Baokun Li <libaokun1@...wei.com>
> ---
>  kernel/sysctl.c | 5 ++---
>  1 file changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 7f07b058b180..537d2f75faa0 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -1149,10 +1149,9 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table,
>  					     sizeof(proc_wspace_sep), NULL);
>  			if (err)
>  				break;
> -			if (neg)
> -				continue;
> +
>  			val = convmul * val / convdiv;
> -			if ((min && val < *min) || (max && val > *max)) {
> +			if (neg || (min && val < *min) || (max && val > *max)) {
>  				err = -EINVAL;
>  				break;
>  			}

I'd much prefer if we stick to the pattern:

err = proc_get_long(...);
if (err || neg) {
	err = -EINVAL;
	break;
}        

Look at the other proc_get_long() uses.

But otherwise yes we should do this, please Cc Andrew Morton in your
next patch and I'll Ack it. Also extend the commit log to include that
proc_get_long() always returns -EINVAL on error and so we embrace the
pattern already used in other places where we also check for a negative
value and it is not allowed.

Did you get to inspect all other unsigned proc calls? If not feel free,
and thanks for your patch!!!

Curious do you have docs on Hulk Robot?

  Luis

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ