| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7cbc5845-e890-4bf5-9488-cd2496642f7e@amd.com>
Date: Fri, 7 Mar 2025 21:46:01 +0530
From: K Prateek Nayak <kprateek.nayak@....com>
To: Oleg Nesterov <oleg@...hat.com>
CC: Linus Torvalds <torvalds@...ux-foundation.org>, Alexander Viro
<viro@...iv.linux.org.uk>, Christian Brauner <brauner@...nel.org>,
<linux-fsdevel@...r.kernel.org>, <linux-kernel@...r.kernel.org>, Jan Kara
<jack@...e.cz>, "Matthew Wilcox (Oracle)" <willy@...radead.org>, "Mateusz
Guzik" <mjguzik@...il.com>, Rasmus Villemoes <ravi@...vas.dk>, "Gautham R.
Shenoy" <gautham.shenoy@....com>, <Neeraj.Upadhyay@....com>,
<Ananth.narayan@....com>, Swapnil Sapkal <swapnil.sapkal@....com>
Subject: Re: [PATCH v2 1/4] fs/pipe: Limit the slots in pipe_resize_ring()
Hello Oleg,
Thank you for the review.
On 3/7/2025 8:21 PM, Oleg Nesterov wrote:
> On 03/07, K Prateek Nayak wrote:
>>
>> --- a/fs/pipe.c
>> +++ b/fs/pipe.c
>> @@ -1271,6 +1271,10 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
>> struct pipe_buffer *bufs;
>> unsigned int head, tail, mask, n;
>>
>> + /* nr_slots larger than limits of pipe->{head,tail} */
>> + if (unlikely(nr_slots > (pipe_index_t)-1u))
>> + return -EINVAL;
>
> The whole series look "obviously" good to me,
>
> Reviewed-by: Oleg Nesterov <oleg@...hat.com>
>
> -------------------------------------------------------------------------------
> But damn ;) lets look at round_pipe_size(),
>
> unsigned int round_pipe_size(unsigned int size)
> {
> if (size > (1U << 31))
> return 0;
>
> /* Minimum pipe size, as required by POSIX */
> if (size < PAGE_SIZE)
> return PAGE_SIZE;
>
> return roundup_pow_of_two(size);
> }
>
> it is a bit silly to allow the maximum size == 1U << 31 in pipe_set_size()
> or (more importantly) in /proc/sys/fs/pipe-max-size, and then nack nr_slots
> in pipe_resize_ring().
>
> So perhaps this check should go into round_pipe_size() ? Although I can't
> suggest a simple/clear check without unnecesary restrictions for the case
> when pipe_index_t is u16.
>
> pipe_resize_ring() has another caller, watch_queue_set_size(), but it has
> its own hard limits...
"nr_notes" for watch queues cannot cross 512 so we should be covered there.
As for round_pipe_size(), we can do:
diff --git a/fs/pipe.c b/fs/pipe.c
index ce1af7592780..f82098aaa510 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1253,6 +1253,8 @@ const struct file_operations pipefifo_fops = {
*/
unsigned int round_pipe_size(unsigned int size)
{
+ unsigned int max_slots;
+
if (size > (1U << 31))
return 0;
@@ -1260,7 +1262,14 @@ unsigned int round_pipe_size(unsigned int size)
if (size < PAGE_SIZE)
return PAGE_SIZE;
- return roundup_pow_of_two(size);
+ size = roundup_pow_of_two(size);
+ max_slots = size >> PAGE_SHIFT;
+
+ /* Max slots cannot be covered pipe->{head,tail} limits */
+ if (max_slots > (pipe_index_t)-1U)
+ return 0;
+
+ return size;
}
/*
--
Since pipe_resize_ring() can be called without actually looking at
"pipe_max_size" as is the case with watch queues, we can either keep the
check in pipe_resize_ring() as well out of paranoia or get rid of it
since the current users are within the bounds.
Thoughts?
>
> Oleg.
>
--
Thanks and Regards,
Prateek
Powered by blists - more mailing lists