Received: by 10.223.185.116 with SMTP id b49csp2341623wrg; Thu, 15 Feb 2018 10:05:59 -0800 (PST) X-Google-Smtp-Source: AH8x227t1BWnhpMuBFEa5lt5fKTK8y0QhlUDD9djcfprCMNHHrtxIom+UataFPd64crxRT2GAv4Y X-Received: by 10.167.128.81 with SMTP id y17mr3380834pfm.91.1518717959052; Thu, 15 Feb 2018 10:05:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518717959; cv=none; d=google.com; s=arc-20160816; b=w69X5xUwVOhd+Cj/IcBqq0vqw9Pedcmuqw0EGwfEVPg+bPCvH8DUak0aN5VJTFrIjF 38ZLvnIJTgYFpb2unjpB2Dv80FkIq9LfHAIyU7+jZ/v2KdnsHo+6EyUBWwMzWH5hPY/O Za6EM/ItMe0M24g7VrWsyVH9CwVx/93F03Uy5+f8XWAkbTV6SDXTAiQhJq6AY+DZtrIN ABZGvN90Ni8YRwVdlV5shRgTUWwZQqGUaB7UPrjDV/4T54+zsfeFz4jrQIJ5Sx2TTjDY bozbs2Pb6QnummI94zXEiqujchDpMRv3yDNlZXlhv0wbtNjUzg8Uet2HDaVONIW4I4CT iGSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=QqeVpjnlbK0CL6Ekz9yFMGBPSn9wThlVkz7YNCEV8IA=; b=n/ODwS2qrKRuPP9/cuRaMxIcQCSTuHIHfDpQSjLXMNhKMMGN8xXtWWkv40dVWc6PVc NHWmF7NOKu+SgiZBN60C1Q7B6sCxWvXLyvl7+9i4MecX3BOWx964LrXQ9mU96pRAM3gR KtQ3mk62tKo7D6maqO/Xo07JgrPuSjlE7Q06PK5VTRoWdBG7kjPG9B9cw7lcm+GfHf0V U71x0MFZfk3x8x2a2HJhYksrVjsEXzfsXbQqKWcOVXGnO4ClKxxHuU1Pr/L39EIQKR4p 1A0toPOjb2G7rBQaVaCeJgb/5pdRWoG0x+9GDP3VNciEmxj8wxh28rdizXxA2ruFgjpV 0PfA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d4si1370464pgq.82.2018.02.15.10.05.38; Thu, 15 Feb 2018 10:05:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1164083AbeBOP3m (ORCPT + 99 others); Thu, 15 Feb 2018 10:29:42 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:54502 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1163658AbeBOP3j (ORCPT ); Thu, 15 Feb 2018 10:29:39 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 91DE81104; Thu, 15 Feb 2018 15:29:38 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Biggers , Kees Cook , Joe Lawrence , Alexander Viro , "Luis R . Rodriguez" , Michael Kerrisk , Mikulas Patocka , Willy Tarreau , Andrew Morton , Linus Torvalds Subject: [PATCH 4.9 64/88] pipe: actually allow root to exceed the pipe buffer limits Date: Thu, 15 Feb 2018 16:17:31 +0100 Message-Id: <20180215151231.467940696@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180215151222.437136975@linuxfoundation.org> References: <20180215151222.437136975@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit 85c2dd5473b2718b4b63e74bfeb1ca876868e11f upstream. pipe-user-pages-hard and pipe-user-pages-soft are only supposed to apply to unprivileged users, as documented in both Documentation/sysctl/fs.txt and the pipe(7) man page. However, the capabilities are actually only checked when increasing a pipe's size using F_SETPIPE_SZ, not when creating a new pipe. Therefore, if pipe-user-pages-hard has been set, the root user can run into it and be unable to create pipes. Similarly, if pipe-user-pages-soft has been set, the root user can run into it and have their pipes limited to 1 page each. Fix this by allowing the privileged override in both cases. Link: http://lkml.kernel.org/r/20180111052902.14409-4-ebiggers3@gmail.com Fixes: 759c01142a5d ("pipe: limit the per-user amount of pages allocated in pipes") Signed-off-by: Eric Biggers Acked-by: Kees Cook Acked-by: Joe Lawrence Cc: Alexander Viro Cc: "Luis R . Rodriguez" Cc: Michael Kerrisk Cc: Mikulas Patocka Cc: Willy Tarreau Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/pipe.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) --- a/fs/pipe.c +++ b/fs/pipe.c @@ -617,6 +617,11 @@ static bool too_many_pipe_buffers_hard(u return pipe_user_pages_hard && user_bufs >= pipe_user_pages_hard; } +static bool is_unprivileged_user(void) +{ + return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); +} + struct pipe_inode_info *alloc_pipe_info(void) { struct pipe_inode_info *pipe; @@ -633,12 +638,12 @@ struct pipe_inode_info *alloc_pipe_info( user_bufs = account_pipe_buffers(user, 0, pipe_bufs); - if (too_many_pipe_buffers_soft(user_bufs)) { + if (too_many_pipe_buffers_soft(user_bufs) && is_unprivileged_user()) { user_bufs = account_pipe_buffers(user, pipe_bufs, 1); pipe_bufs = 1; } - if (too_many_pipe_buffers_hard(user_bufs)) + if (too_many_pipe_buffers_hard(user_bufs) && is_unprivileged_user()) goto out_revert_acct; pipe->bufs = kcalloc(pipe_bufs, sizeof(struct pipe_buffer), @@ -1069,7 +1074,7 @@ static long pipe_set_size(struct pipe_in if (nr_pages > pipe->buffers && (too_many_pipe_buffers_hard(user_bufs) || too_many_pipe_buffers_soft(user_bufs)) && - !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) { + is_unprivileged_user()) { ret = -EPERM; goto out_revert_acct; }