| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250307223020.GA28762@redhat.com>
Date: Fri, 7 Mar 2025 23:30:20 +0100
From: Oleg Nesterov <oleg@...hat.com>
To: K Prateek Nayak <kprateek.nayak@....com>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Alexander Viro <viro@...iv.linux.org.uk>,
Christian Brauner <brauner@...nel.org>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
Jan Kara <jack@...e.cz>,
"Matthew Wilcox (Oracle)" <willy@...radead.org>,
Mateusz Guzik <mjguzik@...il.com>,
Rasmus Villemoes <ravi@...vas.dk>,
"Gautham R. Shenoy" <gautham.shenoy@....com>,
Neeraj.Upadhyay@....com, Ananth.narayan@....com,
Swapnil Sapkal <swapnil.sapkal@....com>
Subject: Re: [PATCH v2 1/4] fs/pipe: Limit the slots in pipe_resize_ring()
On 03/07, K Prateek Nayak wrote:
>
> On 3/7/2025 8:21 PM, Oleg Nesterov wrote:
> >On 03/07, K Prateek Nayak wrote:
> >>
> >>--- a/fs/pipe.c
> >>+++ b/fs/pipe.c
> >>@@ -1271,6 +1271,10 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
> >> struct pipe_buffer *bufs;
> >> unsigned int head, tail, mask, n;
> >>
> >>+ /* nr_slots larger than limits of pipe->{head,tail} */
> >>+ if (unlikely(nr_slots > (pipe_index_t)-1u))
> >>+ return -EINVAL;
> >
> >The whole series look "obviously" good to me,
> >
> >Reviewed-by: Oleg Nesterov <oleg@...hat.com>
So, in case it wasn't clear, you could safely ignore everything else below ;)
> >pipe_resize_ring() has another caller, watch_queue_set_size(), but it has
> >its own hard limits...
>
> "nr_notes" for watch queues cannot cross 512 so we should be covered there.
Yes, yes, this is what I meant,
> As for round_pipe_size(), we can do:
>
> diff --git a/fs/pipe.c b/fs/pipe.c
> index ce1af7592780..f82098aaa510 100644
> --- a/fs/pipe.c
> +++ b/fs/pipe.c
> @@ -1253,6 +1253,8 @@ const struct file_operations pipefifo_fops = {
> */
> unsigned int round_pipe_size(unsigned int size)
> {
> + unsigned int max_slots;
> +
> if (size > (1U << 31))
> return 0;
> @@ -1260,7 +1262,14 @@ unsigned int round_pipe_size(unsigned int size)
> if (size < PAGE_SIZE)
> return PAGE_SIZE;
> - return roundup_pow_of_two(size);
> + size = roundup_pow_of_two(size);
> + max_slots = size >> PAGE_SHIFT;
> +
> + /* Max slots cannot be covered pipe->{head,tail} limits */
> + if (max_slots > (pipe_index_t)-1U)
> + return 0;
Sure, this will work, but still it doesn't look clear/clean to me.
But no, no, I don't blame your suggestion.
To me, round_pipe_size() looks confusing with or without the changes we
discuss. Why does it use "1U << 31" as a maximum size? OK, this is because
that "1 << 31" is the maximum power-of-2 which can fit into u32.
But, even if this code assumes that pipe->head/tail are u32, why this
restriction? Most probably I missed something, but I don't understand.
> Since pipe_resize_ring() can be called without actually looking at
> "pipe_max_size"
Again, only if the caller is watch_queue_set_size(), but it has its own
hard limit.
So. I won't argue either way. Whatever looks better to you. My ack
still stands.
Sorry for (yet another) confusing and almost off-topic email from me.
Oleg.
Powered by blists - more mailing lists