| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241112131357.49582-2-nicolas.bouchinet@clip-os.org>
Date: Tue, 12 Nov 2024 14:13:29 +0100
From: nicolas.bouchinet@...p-os.org
To: linux-kernel@...r.kernel.org,
linux-serial@...r.kernel.org,
linux-fsdevel@...r.kernel.org
Cc: nicolas.bouchinet@...p-os.org,
Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Jiri Slaby <jirislaby@...nel.org>,
Alexander Viro <viro@...iv.linux.org.uk>,
Christian Brauner <brauner@...nel.org>,
Jan Kara <jack@...e.cz>,
Luis Chamberlain <mcgrof@...nel.org>,
Kees Cook <kees@...nel.org>,
Joel Granados <j.granados@...sung.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Neil Horman <nhorman@...driver.com>,
Lin Feng <linf@...gsu.com>,
"Theodore Ts'o" <tytso@....edu>
Subject: [PATCH 1/3] coredump: Fixes core_pipe_limit sysctl proc_handler
From: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>
proc_dointvec converts a string to a vector of signed int, which is
stored in the unsigned int .data core_pipe_limit.
It was thus authorized to write a negative value to core_pipe_limit
sysctl which once stored in core_pipe_limit, leads to the signed int
dump_count check against core_pipe_limit never be true. The same can be
achieved with core_pipe_limit set to INT_MAX.
Any negative write or >= to INT_MAX in core_pipe_limit sysctl would
hypothetically allow a user to create very high load on the system by
running processes that produces a coredump in case the core_pattern
sysctl is configured to pipe core files to user space helper.
Memory or PID exhaustion should happen before but it anyway breaks the
core_pipe_limit semantic
This commit fixes this by changing core_pipe_limit sysctl's proc_handler
to proc_dointvec_minmax and bound checking between SYSCTL_ZERO and
SYSCTL_INT_MAX.
Fixes: a293980c2e26 ("exec: let do_coredump() limit the number of concurrent dumps to pipes")
Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>
---
fs/coredump.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/coredump.c b/fs/coredump.c
index 7f12ff6ad1d3e..8ea5896e518dd 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -616,7 +616,8 @@ void do_coredump(const kernel_siginfo_t *siginfo)
cprm.limit = RLIM_INFINITY;
dump_count = atomic_inc_return(&core_dump_count);
- if (core_pipe_limit && (core_pipe_limit < dump_count)) {
+ if ((core_pipe_limit && (core_pipe_limit < dump_count)) ||
+ (core_pipe_limit && dump_count == INT_MAX)) {
printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
task_tgid_vnr(current), current->comm);
printk(KERN_WARNING "Skipping core dump\n");
@@ -1024,7 +1025,9 @@ static struct ctl_table coredump_sysctls[] = {
.data = &core_pipe_limit,
.maxlen = sizeof(unsigned int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = SYSCTL_INT_MAX,
},
{
.procname = "core_file_note_size_limit",
--
2.47.0
Powered by blists - more mailing lists