Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932465AbeAKUgV (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Thu, 11 Jan 2018 15:36:21 -0500
Received: from mail-ua0-f195.google.com ([209.85.217.195]:34712 "EHLO
        mail-ua0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751923AbeAKUgS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 11 Jan 2018 15:36:18 -0500
X-Google-Smtp-Source: ACJfBouGrq3C0jzjXCkDOFuEX6uduUZK9/yPtTx7GwUZoaoFzx+2UQ4xnbbsBWHk7+vY6TfFPpwTd3xWfbxTcu/NCkU=
MIME-Version: 1.0
In-Reply-To: <20180111052902.14409-1-ebiggers3@gmail.com>
References: <20180111052902.14409-1-ebiggers3@gmail.com>
From: Kees Cook <keescook@chromium.org>
Date: Thu, 11 Jan 2018 12:36:15 -0800
X-Google-Sender-Auth: Z9DhLNPvQOMU-Z6P6rUIu-ADs5g
Message-ID: <CAGXu5jKZ7A0ajSrAnvQ_25VgNQuy+Ti+VVuWqP0bRqGkknQH0A@mail.gmail.com>
Subject: Re: [PATCH v2 0/7] pipe: buffer limits fixes and cleanups
To: Eric Biggers <ebiggers3@gmail.com>,
        Andrew Morton <akpm@linux-foundation.org>
Cc: "linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Joe Lawrence <joe.lawrence@redhat.com>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        Willy Tarreau <w@1wt.eu>,
        Mikulas Patocka <mpatocka@redhat.com>,
        "Luis R . Rodriguez" <mcgrof@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Wed, Jan 10, 2018 at 9:28 PM, Eric Biggers <ebiggers3@gmail.com> wrote:
> This series simplifies the sysctl handler for pipe-max-size and fixes
> another set of bugs related to the pipe buffer limits:
>
> - The root user wasn't allowed to exceed the limits when creating new
>   pipes.
>
> - There was an off-by-one error when checking the limits, so a limit of
>   N was actually treated as N - 1.
>
> - F_SETPIPE_SZ accepted values over UINT_MAX.
>
> - Reading the pipe buffer limits could be racy.
>
> Changed since v1:
>
>   - Added "Fixes" tag to "pipe: fix off-by-one error when checking buffer limits"
>   - In pipe_set_size(), checked 'nr_pages' rather than 'size'
>   - Fixed commit message for "pipe: simplify round_pipe_size()"

Thanks for the fixes! This looks good to me. Please consider the whole series:

Acked-by: Kees Cook <keescook@chromium.org>

-Kees

>
> Eric Biggers (7):
>   pipe, sysctl: drop 'min' parameter from pipe-max-size converter
>   pipe, sysctl: remove pipe_proc_fn()
>   pipe: actually allow root to exceed the pipe buffer limits
>   pipe: fix off-by-one error when checking buffer limits
>   pipe: reject F_SETPIPE_SZ with size over UINT_MAX
>   pipe: simplify round_pipe_size()
>   pipe: read buffer limits atomically
>
>  fs/pipe.c                 | 57 ++++++++++++++++++++---------------------------
>  include/linux/pipe_fs_i.h |  5 ++---
>  include/linux/sysctl.h    |  3 ---
>  kernel/sysctl.c           | 33 +++++----------------------
>  4 files changed, 32 insertions(+), 66 deletions(-)
>
> --
> 2.15.1
>



-- 
Kees Cook
Pixel Security