From patchwork Fri Jun 28 08:24:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Po-Hsu Lin X-Patchwork-Id: 1124041 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45ZqZG27xnz9s3l; Fri, 28 Jun 2019 18:24:54 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1hgmBe-0004hb-PG; Fri, 28 Jun 2019 08:24:50 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1hgmBc-0004gw-Jd for kernel-team@lists.ubuntu.com; Fri, 28 Jun 2019 08:24:48 +0000 Received: from mail-pl1-f197.google.com ([209.85.214.197]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1hgmBc-0000Ol-4K for kernel-team@lists.ubuntu.com; Fri, 28 Jun 2019 08:24:48 +0000 Received: by mail-pl1-f197.google.com with SMTP id b24so3095508plz.20 for ; Fri, 28 Jun 2019 01:24:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=Iv5qDpAQ4R/pmJakF5r4RY1LHAl6r/rZ3lCfLKkNTIM=; b=LZOosFeliwcGCaVMTjwS9Uen2mK0O68r16/1liFJJDcVBKmXY3y2BDTwuRSzJm0znE csc6wmTwnyI1EFmV9NOXKDWly3Bp9slYBvT0bblnUYduyvZoFQbsFfuN18h5v0JzM6u6 haYajxKDRPcFCJFyrYG9f5bZ8H1MUGWp7K+zVH9Upr26O+NfPVRdD+xfrtazCvVaGZCz tQzcQVUTQZpV4q9SKxLBS8WY+XGNhFdhZPfJ/POkz5bSRQj2FlxK3D96NuptaObJIRsE cCS82BbHlwcCoKikRep/nh2Vd2mvQyEyqXaObB1td1VgCRXiVPEsvCafDDo4tEhKPzFo E/GA== X-Gm-Message-State: APjAAAXqxHZK0hOsitRqte/4IvAw60RPwv9MD/5gbtio/TVAFdGz/sAE hT7UV9uT9uwzhBnRNub/+G7fFxojAfxh7XLEILY3MVGaKmYDzYNALSfFiWzyXGiHGYzfy03sHPD 5QD1xcQ4eGQhbHPbQguMYnsMCApRKStRdKcLW0Hn1 X-Received: by 2002:a17:90a:9291:: with SMTP id n17mr11425878pjo.66.1561710286618; Fri, 28 Jun 2019 01:24:46 -0700 (PDT) X-Google-Smtp-Source: APXvYqyUn+D0/92aJxTTTZEAKbYFahyHevnV3fMbxNb+OsQAXwNCwyYR/F7tWYbVLdoSQNZNs/UrMQ== X-Received: by 2002:a17:90a:9291:: with SMTP id n17mr11425865pjo.66.1561710286386; Fri, 28 Jun 2019 01:24:46 -0700 (PDT) Received: from Leggiero.taipei.internal (61-220-137-37.HINET-IP.hinet.net. [61.220.137.37]) by smtp.gmail.com with ESMTPSA id w7sm1564777pfb.117.2019.06.28.01.24.45 for (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Fri, 28 Jun 2019 01:24:45 -0700 (PDT) From: Po-Hsu Lin To: kernel-team@lists.ubuntu.com Subject: [B][C][SRU][PATCH v2 1/2] sysctl: handle overflow for file-max Date: Fri, 28 Jun 2019 16:24:37 +0800 Message-Id: <20190628082438.3124-2-po-hsu.lin@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190628082438.3124-1-po-hsu.lin@canonical.com> References: <20190628082438.3124-1-po-hsu.lin@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Christian Brauner BugLink: https://bugs.launchpad.net/bugs/1834310 Currently, when writing echo 18446744073709551616 > /proc/sys/fs/file-max /proc/sys/fs/file-max will overflow and be set to 0. That quickly crashes the system. This commit sets the max and min value for file-max. The max value is set to long int. Any higher value cannot currently be used as the percpu counters are long ints and not unsigned integers. Note that the file-max value is ultimately parsed via __do_proc_doulongvec_minmax(). This function does not report error when min or max are exceeded. Which means if a value largen that long int is written userspace will not receive an error instead the old value will be kept. There is an argument to be made that this should be changed and __do_proc_doulongvec_minmax() should return an error when a dedicated min or max value are exceeded. However this has the potential to break userspace so let's defer this to an RFC patch. Link: http://lkml.kernel.org/r/20190107222700.15954-3-christian@brauner.io Signed-off-by: Christian Brauner Acked-by: Kees Cook Cc: Alexey Dobriyan Cc: Al Viro Cc: Dominik Brodowski Cc: "Eric W. Biederman" Cc: Joe Lawrence Cc: Luis Chamberlain Cc: Waiman Long [christian@brauner.io: v4] Link: http://lkml.kernel.org/r/20190210203943.8227-3-christian@brauner.io Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds (cherry picked from commit 32a5ad9c22852e6bd9e74bdec5934ef9d1480bc5) Signed-off-by: Po-Hsu Lin --- kernel/sysctl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/sysctl.c b/kernel/sysctl.c index c19d7a8..39ea0c1 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -129,6 +129,7 @@ static int __maybe_unused one = 1; static int __maybe_unused two = 2; static int __maybe_unused four = 4; static unsigned long one_ul = 1; +static unsigned long long_max = LONG_MAX; static int one_hundred = 100; static int one_thousand = 1000; #ifdef CONFIG_PRINTK @@ -1698,6 +1699,8 @@ static struct ctl_table fs_table[] = { .maxlen = sizeof(files_stat.max_files), .mode = 0644, .proc_handler = proc_doulongvec_minmax, + .extra1 = &zero, + .extra2 = &long_max, }, { .procname = "nr_open", From patchwork Fri Jun 28 08:24:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Po-Hsu Lin X-Patchwork-Id: 1124042 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45ZqZJ4zsRz9s3C; Fri, 28 Jun 2019 18:24:56 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1hgmBh-0004iX-17; Fri, 28 Jun 2019 08:24:53 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1hgmBd-0004hK-VL for kernel-team@lists.ubuntu.com; Fri, 28 Jun 2019 08:24:49 +0000 Received: from mail-pl1-f200.google.com ([209.85.214.200]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1hgmBd-0000Os-GX for kernel-team@lists.ubuntu.com; Fri, 28 Jun 2019 08:24:49 +0000 Received: by mail-pl1-f200.google.com with SMTP id t2so3105871plo.10 for ; Fri, 28 Jun 2019 01:24:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=0L50p/MVw/lOB5KQDmntpuzzcgfiUAOUUiqVlK5ionQ=; b=NX/nuOkE8teS+5Q5/LGIPe2VyDlrD/xDpxnhPebU3i4qsO1s470QcadHGJ9Ojedwrp C/1zI9WBP2DgFrDnd8wbBwtP7tmFmgTdF5D8YoOzWorp4mVg7I75bOKRZ6OE5f5oGtUj AT0zpk61ZCNGAwQ0QfgNOIGVF7L1+i10XbEjw1aC5tm2t0mkPZ36Ok6oPCbEmJUK2Qe8 Zdb0FflDT1i+RQWg19Pb0i6jLXv57/LmqoaVNLUi/OqWN9mGoActMbQLTgwi0rhYkh+K 4Ca4csNC1tOq87KIR1GWrU17sRO5UE0ypvhxXfKWHW1A+Zb64OVjP/WeMv2Nz4nroAJ+ 7kSg== X-Gm-Message-State: APjAAAVfCJkGJX/41AV1dYYJHBZwHjhNu8GSK2YmdjOWSRDUXf15SM23 uy/8hgd10c0cCccFNqiroGFG764UIjF6R/mUzX4Rn6sRS54TstHEgzpgkLeLA1jVaAKgjGDyra+ w0mLtJYC8lLNIMXYosoLEMhuzRcPWgMdLTEzHAtD8 X-Received: by 2002:a17:90b:d8b:: with SMTP id bg11mr11610001pjb.30.1561710287991; Fri, 28 Jun 2019 01:24:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqxq6XYlTrqS6d6HvVbVL+3BG/LLDccnuemLMMHtirFNKuzR7Wz+bujcLL/T8aAtUKu6nYQfrw== X-Received: by 2002:a17:90b:d8b:: with SMTP id bg11mr11609969pjb.30.1561710287692; Fri, 28 Jun 2019 01:24:47 -0700 (PDT) Received: from Leggiero.taipei.internal (61-220-137-37.HINET-IP.hinet.net. [61.220.137.37]) by smtp.gmail.com with ESMTPSA id w7sm1564777pfb.117.2019.06.28.01.24.46 for (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Fri, 28 Jun 2019 01:24:47 -0700 (PDT) From: Po-Hsu Lin To: kernel-team@lists.ubuntu.com Subject: [B][C][SRU][PATCH v2 2/2] kernel/sysctl.c: fix out-of-bounds access when setting file-max Date: Fri, 28 Jun 2019 16:24:38 +0800 Message-Id: <20190628082438.3124-3-po-hsu.lin@canonical.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190628082438.3124-1-po-hsu.lin@canonical.com> References: <20190628082438.3124-1-po-hsu.lin@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Will Deacon BugLink: https://bugs.launchpad.net/bugs/1834310 Commit 32a5ad9c2285 ("sysctl: handle overflow for file-max") hooked up min/max values for the file-max sysctl parameter via the .extra1 and .extra2 fields in the corresponding struct ctl_table entry. Unfortunately, the minimum value points at the global 'zero' variable, which is an int. This results in a KASAN splat when accessed as a long by proc_doulongvec_minmax on 64-bit architectures: | BUG: KASAN: global-out-of-bounds in __do_proc_doulongvec_minmax+0x5d8/0x6a0 | Read of size 8 at addr ffff2000133d1c20 by task systemd/1 | | CPU: 0 PID: 1 Comm: systemd Not tainted 5.1.0-rc3-00012-g40b114779944 #2 | Hardware name: linux,dummy-virt (DT) | Call trace: | dump_backtrace+0x0/0x228 | show_stack+0x14/0x20 | dump_stack+0xe8/0x124 | print_address_description+0x60/0x258 | kasan_report+0x140/0x1a0 | __asan_report_load8_noabort+0x18/0x20 | __do_proc_doulongvec_minmax+0x5d8/0x6a0 | proc_doulongvec_minmax+0x4c/0x78 | proc_sys_call_handler.isra.19+0x144/0x1d8 | proc_sys_write+0x34/0x58 | __vfs_write+0x54/0xe8 | vfs_write+0x124/0x3c0 | ksys_write+0xbc/0x168 | __arm64_sys_write+0x68/0x98 | el0_svc_common+0x100/0x258 | el0_svc_handler+0x48/0xc0 | el0_svc+0x8/0xc | | The buggy address belongs to the variable: | zero+0x0/0x40 | | Memory state around the buggy address: | ffff2000133d1b00: 00 00 00 00 00 00 00 00 fa fa fa fa 04 fa fa fa | ffff2000133d1b80: fa fa fa fa 04 fa fa fa fa fa fa fa 04 fa fa fa | >ffff2000133d1c00: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 | ^ | ffff2000133d1c80: fa fa fa fa 00 fa fa fa fa fa fa fa 00 00 00 00 | ffff2000133d1d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Fix the splat by introducing a unsigned long 'zero_ul' and using that instead. Link: http://lkml.kernel.org/r/20190403153409.17307-1-will.deacon@arm.com Fixes: 32a5ad9c2285 ("sysctl: handle overflow for file-max") Signed-off-by: Will Deacon Acked-by: Christian Brauner Cc: Kees Cook Cc: Alexey Dobriyan Cc: Matteo Croce Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds (cherry picked from commit 9002b21465fa4d829edfc94a5a441005cffaa972) Signed-off-by: Po-Hsu Lin --- kernel/sysctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 39ea0c1..df6492b 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -128,6 +128,7 @@ static int zero; static int __maybe_unused one = 1; static int __maybe_unused two = 2; static int __maybe_unused four = 4; +static unsigned long zero_ul; static unsigned long one_ul = 1; static unsigned long long_max = LONG_MAX; static int one_hundred = 100; @@ -1699,7 +1700,7 @@ static struct ctl_table fs_table[] = { .maxlen = sizeof(files_stat.max_files), .mode = 0644, .proc_handler = proc_doulongvec_minmax, - .extra1 = &zero, + .extra1 = &zero_ul, .extra2 = &long_max, }, {