[X,SRU,1/1] sysctl: handle overflow in proc_get_long

Message ID	20190628074230.838-2-po-hsu.lin@canonical.com
State	New
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Po-Hsu Lin <po-hsu.lin@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [X][SRU][PATCH 1/1] sysctl: handle overflow in proc_get_long Date: Fri, 28 Jun 2019 15:42:28 +0800 Message-Id: <20190628074230.838-2-po-hsu.lin@canonical.com> In-Reply-To: <20190628074230.838-1-po-hsu.lin@canonical.com> References: <20190628074230.838-1-po-hsu.lin@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	[X,SRU,1/1] sysctl: handle overflow in proc_get_long \| expand [X,SRU,1/1] sysctl: handle overflow in proc_get_long

Message ID

20190628074230.838-2-po-hsu.lin@canonical.com

State

New

Headers

From: Po-Hsu Lin <po-hsu.lin@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [X][SRU][PATCH 1/1] sysctl: handle overflow in proc_get_long
Date: Fri, 28 Jun 2019 15:42:28 +0800
Message-Id: <20190628074230.838-2-po-hsu.lin@canonical.com>
In-Reply-To: <20190628074230.838-1-po-hsu.lin@canonical.com>
References: <20190628074230.838-1-po-hsu.lin@canonical.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

[X,SRU,1/1] sysctl: handle overflow in proc_get_long | expand

Commit Message

Po-Hsu Lin June 28, 2019, 7:42 a.m. UTC

From: Christian Brauner <christian@brauner.io>

BugLink: https://bugs.launchpad.net/bugs/1833935

proc_get_long() is a funny function.  It uses simple_strtoul() and for a
good reason.  proc_get_long() wants to always succeed the parse and
return the maybe incorrect value and the trailing characters to check
against a pre-defined list of acceptable trailing values.  However,
simple_strtoul() explicitly ignores overflows which can cause funny
things like the following to happen:

  echo 18446744073709551616 > /proc/sys/fs/file-max
  cat /proc/sys/fs/file-max
  0

(Which will cause your system to silently die behind your back.)

On the other hand kstrtoul() does do overflow detection but does not
return the trailing characters, and also fails the parse when anything
other than '\n' is a trailing character whereas proc_get_long() wants to
be more lenient.

Now, before adding another kstrtoul() function let's simply add a static
parse strtoul_lenient() which:
 - fails on overflow with -ERANGE
 - returns the trailing characters to the caller

The reason why we should fail on ERANGE is that we already do a partial
fail on overflow right now.  Namely, when the TMPBUFLEN is exceeded.  So
we already reject values such as 184467440737095516160 (21 chars) but
accept values such as 18446744073709551616 (20 chars) but both are
overflows.  So we should just always reject 64bit overflows and not
special-case this based on the number of chars.

Link: http://lkml.kernel.org/r/20190107222700.15954-2-christian@brauner.io
Signed-off-by: Christian Brauner <christian@brauner.io>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: Joe Lawrence <joe.lawrence@redhat.com>
Cc: Waiman Long <longman@redhat.com>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(backported from commit 7f2923c4f73f21cfd714d12a2d48de8c21f11cfe)
[PHLin: Content adjustment for the headers section]
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 kernel/sysctl.c | 40 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 81fdbd8..366e3b3 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -68,6 +68,8 @@ 
 #include <linux/efi.h>
 #include <linux/mount.h>
 
+#include "../lib/kstrtox.h"
+
 #include <asm/uaccess.h>
 #include <linux/mutex.h>
 #include <asm/processor.h>
@@ -2135,6 +2137,41 @@  static void proc_skip_char(char **buf, size_t *size, const char v)
 	}
 }
 
+/**
+ * strtoul_lenient - parse an ASCII formatted integer from a buffer and only
+ *                   fail on overflow
+ *
+ * @cp: kernel buffer containing the string to parse
+ * @endp: pointer to store the trailing characters
+ * @base: the base to use
+ * @res: where the parsed integer will be stored
+ *
+ * In case of success 0 is returned and @res will contain the parsed integer,
+ * @endp will hold any trailing characters.
+ * This function will fail the parse on overflow. If there wasn't an overflow
+ * the function will defer the decision what characters count as invalid to the
+ * caller.
+ */
+static int strtoul_lenient(const char *cp, char **endp, unsigned int base,
+			   unsigned long *res)
+{
+	unsigned long long result;
+	unsigned int rv;
+
+	cp = _parse_integer_fixup_radix(cp, &base);
+	rv = _parse_integer(cp, base, &result);
+	if ((rv & KSTRTOX_OVERFLOW) || (result != (unsigned long)result))
+		return -ERANGE;
+
+	cp += rv;
+
+	if (endp)
+		*endp = (char *)cp;
+
+	*res = (unsigned long)result;
+	return 0;
+}
+
 #define TMPBUFLEN 22
 /**
  * proc_get_long - reads an ASCII formatted integer from a user buffer
@@ -2178,7 +2215,8 @@  static int proc_get_long(char **buf, size_t *size,
 	if (!isdigit(*p))
 		return -EINVAL;
 
-	*val = simple_strtoul(p, &p, 0);
+	if (strtoul_lenient(p, &p, 0, val))
+		return -EINVAL;
 
 	len = p - tmp;

[X,SRU,1/1] sysctl: handle overflow in proc_get_long

Commit Message

Patch