| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241218115112.su4gdcdwcbaoz5y2@quack3>
Date: Wed, 18 Dec 2024 12:51:12 +0100
From: Jan Kara <jack@...e.cz>
To: nicolas.bouchinet@...p-os.org
Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Jiri Slaby <jirislaby@...nel.org>,
Alexander Viro <viro@...iv.linux.org.uk>,
Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>,
Luis Chamberlain <mcgrof@...nel.org>, Kees Cook <kees@...nel.org>,
Joel Granados <j.granados@...sung.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Neil Horman <nhorman@...driver.com>, Lin Feng <linf@...gsu.com>,
Theodore Ts'o <tytso@....edu>
Subject: Re: [PATCH v3 1/2] coredump: Fixes core_pipe_limit sysctl
proc_handler
On Tue 17-12-24 14:29:06, nicolas.bouchinet@...p-os.org wrote:
> From: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>
>
> proc_dointvec converts a string to a vector of signed int, which is
> stored in the unsigned int .data core_pipe_limit.
> It was thus authorized to write a negative value to core_pipe_limit
> sysctl which once stored in core_pipe_limit, leads to the signed int
> dump_count check against core_pipe_limit never be true. The same can be
> achieved with core_pipe_limit set to INT_MAX.
>
> Any negative write or >= to INT_MAX in core_pipe_limit sysctl would
> hypothetically allow a user to create very high load on the system by
> running processes that produces a coredump in case the core_pattern
> sysctl is configured to pipe core files to user space helper.
> Memory or PID exhaustion should happen before but it anyway breaks the
> core_pipe_limit semantic.
>
> This commit fixes this by changing core_pipe_limit sysctl's proc_handler
> to proc_dointvec_minmax and bound checking between SYSCTL_ZERO and
> SYSCTL_INT_MAX.
>
> Fixes: a293980c2e26 ("exec: let do_coredump() limit the number of concurrent dumps to pipes")
> Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>
Looks good. Feel free to add:
Reviewed-by: Jan Kara <jack@...e.cz>
Honza
> ---
> fs/coredump.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/coredump.c b/fs/coredump.c
> index 7f12ff6ad1d3e..c3a74dd194e69 100644
> --- a/fs/coredump.c
> +++ b/fs/coredump.c
> @@ -1024,7 +1024,9 @@ static struct ctl_table coredump_sysctls[] = {
> .data = &core_pipe_limit,
> .maxlen = sizeof(unsigned int),
> .mode = 0644,
> - .proc_handler = proc_dointvec,
> + .proc_handler = proc_dointvec_minmax,
> + .extra1 = SYSCTL_ZERO,
> + .extra2 = SYSCTL_INT_MAX,
> },
> {
> .procname = "core_file_note_size_limit",
> --
> 2.47.1
>
--
Jan Kara <jack@...e.com>
SUSE Labs, CR
Powered by blists - more mailing lists