| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220516102211.41557-7-songmuchun@bytedance.com>
Date: Mon, 16 May 2022 18:22:10 +0800
From: Muchun Song <songmuchun@...edance.com>
To: corbet@....net, mike.kravetz@...cle.com, akpm@...ux-foundation.org,
mcgrof@...nel.org, keescook@...omium.org, yzaikin@...gle.com,
osalvador@...e.de, david@...hat.com, masahiroy@...nel.org
Cc: linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, duanxiongchun@...edance.com, smuchun@...il.com,
Muchun Song <songmuchun@...edance.com>
Subject: [PATCH v12 6/7] sysctl: handle table->maxlen properly for proc_dobool
Setting ->proc_handler to proc_dobool at the same time setting ->maxlen
to sizeof(int) is counter-intuitive, it is easy to make mistakes. For
robustness, fix it by handling able->maxlen properly for proc_dobool in
__do_proc_dointvec(). In the next patch, we will use proc_dobool which
depends on this change.
Signed-off-by: Muchun Song <songmuchun@...edance.com>
Cc: Luis Chamberlain <mcgrof@...nel.org>
Cc: Kees Cook <keescook@...omium.org>
Cc: Iurii Zaikin <yzaikin@...gle.com>
---
fs/lockd/svc.c | 2 +-
kernel/sysctl.c | 22 ++++++++++++----------
2 files changed, 13 insertions(+), 11 deletions(-)
diff --git a/fs/lockd/svc.c b/fs/lockd/svc.c
index 59ef8a1f843f..6e48ee787f49 100644
--- a/fs/lockd/svc.c
+++ b/fs/lockd/svc.c
@@ -496,7 +496,7 @@ static struct ctl_table nlm_sysctls[] = {
{
.procname = "nsm_use_hostnames",
.data = &nsm_use_hostnames,
- .maxlen = sizeof(int),
+ .maxlen = sizeof(nsm_use_hostnames),
.mode = 0644,
.proc_handler = proc_dobool,
},
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index e52b6e372c60..353fb9093012 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -428,6 +428,8 @@ static int do_proc_dobool_conv(bool *negp, unsigned long *lvalp,
int write, void *data)
{
if (write) {
+ if (*negp || (*lvalp != 0 && *lvalp != 1))
+ return -EINVAL;
*(bool *)valp = *lvalp;
} else {
int val = *(bool *)valp;
@@ -489,17 +491,17 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
int write, void *data),
void *data)
{
- int *i, vleft, first = 1, err = 0;
+ int vleft, first = 1, err = 0, size;
size_t left;
char *p;
-
+
if (!tbl_data || !table->maxlen || !*lenp || (*ppos && !write)) {
*lenp = 0;
return 0;
}
-
- i = (int *) tbl_data;
- vleft = table->maxlen / sizeof(*i);
+
+ size = conv == do_proc_dobool_conv ? sizeof(bool) : sizeof(int);
+ vleft = table->maxlen / size;
left = *lenp;
if (!conv)
@@ -514,7 +516,7 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
p = buffer;
}
- for (; left && vleft--; i++, first=0) {
+ for (; left && vleft--; tbl_data = (char *)tbl_data + size, first=0) {
unsigned long lval;
bool neg;
@@ -528,12 +530,12 @@ static int __do_proc_dointvec(void *tbl_data, struct ctl_table *table,
sizeof(proc_wspace_sep), NULL);
if (err)
break;
- if (conv(&neg, &lval, i, 1, data)) {
+ if (conv(&neg, &lval, tbl_data, 1, data)) {
err = -EINVAL;
break;
}
} else {
- if (conv(&neg, &lval, i, 0, data)) {
+ if (conv(&neg, &lval, tbl_data, 0, data)) {
err = -EINVAL;
break;
}
@@ -708,8 +710,8 @@ int do_proc_douintvec(struct ctl_table *table, int write,
* @lenp: the size of the user buffer
* @ppos: file position
*
- * Reads/writes up to table->maxlen/sizeof(unsigned int) integer
- * values from/to the user buffer, treated as an ASCII string.
+ * Reads/writes up to table->maxlen/sizeof(bool) bool values from/to
+ * the user buffer, treated as an ASCII string.
*
* Returns 0 on success.
*/
--
2.11.0
Powered by blists - more mailing lists