Received: by 10.223.185.116 with SMTP id b49csp2286371wrg; Thu, 15 Feb 2018 09:16:33 -0800 (PST) X-Google-Smtp-Source: AH8x226MwzxMU+c0VWTweCBKCrknkS/oNwRb0MDQZRRErjoXQ/vjwUCVc0cAOUkYxNIQ2NUaov5B X-Received: by 2002:a17:902:820d:: with SMTP id x13-v6mr3116285pln.2.1518714993748; Thu, 15 Feb 2018 09:16:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518714993; cv=none; d=google.com; s=arc-20160816; b=ZuI/Na4xPgY+Ibi4/9sKCjC2GV06O74Xxql34pq+rLESihABoj2Ly/RWE/V0CmG+CW z6YkozcDfFMyjm0DPZ8dKDMkd07+frLkNqKEqqqkyKtAB8hWQ09SQsFUCh4h4o0AXiW7 hXGcC/oTKLfky+tHL8LNZYWoprtu86Q6QH9/7vMuW/udcIBDtRpGoxBbYEFrKUQcO+mp 7JzZpyQQhl4KhN+fYIssEToHMJ7+JSSUjllcjerR1CShuA1A2Tvxzpnv3SnShUj8sNLb FMhvuBvmkhK2O5IHGQNTTRCiEwlrEEVrYiElevC2fQVD0OZB7S9hQo5U7JB7WvSntkmc PRNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=okN+QU98medkO+7ihdt6c7Nu/+mp9r2jZybRO2E0Kzc=; b=n9cQo8CmVLszpRVcrTYvgaHxEHiEudB504/yzHeUBhPcmGpQ6AH5LTQxz9RAEPM49b /ZNESxM1GA97gySBXf6XeeWEviGi+aID0LRjICxENazvMUcqrh/85QlA0Vb4ZsKKog9V I/ExtffZShgHPBpiAFWfDOCOoNqFslFUqxoa6CMjCRfedzRIpvvAQH5G1NyRq+gVF/Mp OLz/g7hzk3GSmlKP3KX9SFK1WGjuRzgQ0hXFa8WFQx6uk4gPRqWlD8Zrr9GqI5XxX87L pYPagGG24riCWlftfP4AY/KDKQsKcuGgXjNnrOTZRQ/RSmh+NwxSdiWuyka4/5vdZaW1 5AGQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t1si1506589pgv.668.2018.02.15.09.16.18; Thu, 15 Feb 2018 09:16:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1422957AbeBOPgo (ORCPT + 99 others); Thu, 15 Feb 2018 10:36:44 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:58674 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1422893AbeBOPgm (ORCPT ); Thu, 15 Feb 2018 10:36:42 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 43C38EAF; Thu, 15 Feb 2018 15:36:39 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Biggers , Kees Cook , Joe Lawrence , Alexander Viro , "Luis R . Rodriguez" , Michael Kerrisk , Mikulas Patocka , Willy Tarreau , Andrew Morton , Linus Torvalds Subject: [PATCH 4.14 155/195] pipe: actually allow root to exceed the pipe buffer limits Date: Thu, 15 Feb 2018 16:17:26 +0100 Message-Id: <20180215151713.664934489@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180215151705.738773577@linuxfoundation.org> References: <20180215151705.738773577@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit 85c2dd5473b2718b4b63e74bfeb1ca876868e11f upstream. pipe-user-pages-hard and pipe-user-pages-soft are only supposed to apply to unprivileged users, as documented in both Documentation/sysctl/fs.txt and the pipe(7) man page. However, the capabilities are actually only checked when increasing a pipe's size using F_SETPIPE_SZ, not when creating a new pipe. Therefore, if pipe-user-pages-hard has been set, the root user can run into it and be unable to create pipes. Similarly, if pipe-user-pages-soft has been set, the root user can run into it and have their pipes limited to 1 page each. Fix this by allowing the privileged override in both cases. Link: http://lkml.kernel.org/r/20180111052902.14409-4-ebiggers3@gmail.com Fixes: 759c01142a5d ("pipe: limit the per-user amount of pages allocated in pipes") Signed-off-by: Eric Biggers Acked-by: Kees Cook Acked-by: Joe Lawrence Cc: Alexander Viro Cc: "Luis R . Rodriguez" Cc: Michael Kerrisk Cc: Mikulas Patocka Cc: Willy Tarreau Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/pipe.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) --- a/fs/pipe.c +++ b/fs/pipe.c @@ -618,6 +618,11 @@ static bool too_many_pipe_buffers_hard(u return pipe_user_pages_hard && user_bufs >= pipe_user_pages_hard; } +static bool is_unprivileged_user(void) +{ + return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); +} + struct pipe_inode_info *alloc_pipe_info(void) { struct pipe_inode_info *pipe; @@ -634,12 +639,12 @@ struct pipe_inode_info *alloc_pipe_info( user_bufs = account_pipe_buffers(user, 0, pipe_bufs); - if (too_many_pipe_buffers_soft(user_bufs)) { + if (too_many_pipe_buffers_soft(user_bufs) && is_unprivileged_user()) { user_bufs = account_pipe_buffers(user, pipe_bufs, 1); pipe_bufs = 1; } - if (too_many_pipe_buffers_hard(user_bufs)) + if (too_many_pipe_buffers_hard(user_bufs) && is_unprivileged_user()) goto out_revert_acct; pipe->bufs = kcalloc(pipe_bufs, sizeof(struct pipe_buffer), @@ -1069,7 +1074,7 @@ static long pipe_set_size(struct pipe_in if (nr_pages > pipe->buffers && (too_many_pipe_buffers_hard(user_bufs) || too_many_pipe_buffers_soft(user_bufs)) && - !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) { + is_unprivileged_user()) { ret = -EPERM; goto out_revert_acct; }