Received: by 10.223.185.116 with SMTP id b49csp290048wrg; Thu, 15 Feb 2018 22:04:25 -0800 (PST) X-Google-Smtp-Source: AH8x227qcK1n7v71CmlPMtHIw73lPZmmFSVzAyNrdrveyEszHB5wvchG6OcXz4pOiHBjhLHkiQ9n X-Received: by 10.99.173.7 with SMTP id g7mr4261318pgf.391.1518761064988; Thu, 15 Feb 2018 22:04:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518761064; cv=none; d=google.com; s=arc-20160816; b=K6LTUdw2+yPyBYsA8Pi7i5mvKV/KnQ04rY/aFaCvgqI+S59KirmfU6UrZ9nIyK9MuA 3vdEi7/FAlDv+AOVbSqrkTy4wK1kgUldkDV646WZrNfPEDOvA7SP1dU1SR12VbWFMPR2 plHs/n2dxckf4fTfVE18jXotmc0D8f7G+WrDd9w1cUhX/KferWOterDA+8OraJNiBtuJ MaiCYABt9V2LvJ2C0DIYN7B8SV/2rQJohaQh/JaNsdK9qJP5jWxfbDzNUbikjqkixuyb nx6KeQgcd+v3VUwQix5buE8+r9q1MvEImeekPkofZk1hhCQ0JGlQtstXIzKHVTpeIyTi lE5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=TSDAIFQugYLPGHTC2LUVUUE9m0yYMKE9UbHy5To5tmE=; b=0+HEK6MnoJkgu4t4tvJl8iNAUJXEler5zFZxw6KkfGe13czygKRfGd0dy3e1LfQTR+ E0dbhGfL1hd72AdHr0f0uLpDP68Iam9Mi9frdPnAXE4kiBRbm6sa/YHmWA61dpnmH/nT 5/QciFABXCuXUp4DXU2+B1x65l6C4BVXakq5CijjKQg7IGHdy5cjLObIEbgfRrfFHZYR whTEsNC+4vLQE1ExU2u3ra1qsD5rNUy88Ub7W1kaP+q38AD1cvSDySraDdQxca6CFLwz ATZNL7Q4B9rET9lOUa7jEfaa1f4xPGxL/uVMh5h7hmNDGBKXx8lRfO1D8sBj5rFJQ58h qGtg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a9si3385471pgw.132.2018.02.15.22.03.37; Thu, 15 Feb 2018 22:04:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1425476AbeBOQGX (ORCPT + 99 others); Thu, 15 Feb 2018 11:06:23 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:35184 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1424535AbeBOPp6 (ORCPT ); Thu, 15 Feb 2018 10:45:58 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 609C011B5; Thu, 15 Feb 2018 15:45:57 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Biggers , Kees Cook , Joe Lawrence , Alexander Viro , "Luis R . Rodriguez" , Michael Kerrisk , Mikulas Patocka , Willy Tarreau , Andrew Morton , Linus Torvalds Subject: [PATCH 4.15 159/202] pipe: actually allow root to exceed the pipe buffer limits Date: Thu, 15 Feb 2018 16:17:39 +0100 Message-Id: <20180215151721.204883817@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180215151712.768794354@linuxfoundation.org> References: <20180215151712.768794354@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit 85c2dd5473b2718b4b63e74bfeb1ca876868e11f upstream. pipe-user-pages-hard and pipe-user-pages-soft are only supposed to apply to unprivileged users, as documented in both Documentation/sysctl/fs.txt and the pipe(7) man page. However, the capabilities are actually only checked when increasing a pipe's size using F_SETPIPE_SZ, not when creating a new pipe. Therefore, if pipe-user-pages-hard has been set, the root user can run into it and be unable to create pipes. Similarly, if pipe-user-pages-soft has been set, the root user can run into it and have their pipes limited to 1 page each. Fix this by allowing the privileged override in both cases. Link: http://lkml.kernel.org/r/20180111052902.14409-4-ebiggers3@gmail.com Fixes: 759c01142a5d ("pipe: limit the per-user amount of pages allocated in pipes") Signed-off-by: Eric Biggers Acked-by: Kees Cook Acked-by: Joe Lawrence Cc: Alexander Viro Cc: "Luis R . Rodriguez" Cc: Michael Kerrisk Cc: Mikulas Patocka Cc: Willy Tarreau Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/pipe.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) --- a/fs/pipe.c +++ b/fs/pipe.c @@ -618,6 +618,11 @@ static bool too_many_pipe_buffers_hard(u return pipe_user_pages_hard && user_bufs >= pipe_user_pages_hard; } +static bool is_unprivileged_user(void) +{ + return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); +} + struct pipe_inode_info *alloc_pipe_info(void) { struct pipe_inode_info *pipe; @@ -634,12 +639,12 @@ struct pipe_inode_info *alloc_pipe_info( user_bufs = account_pipe_buffers(user, 0, pipe_bufs); - if (too_many_pipe_buffers_soft(user_bufs)) { + if (too_many_pipe_buffers_soft(user_bufs) && is_unprivileged_user()) { user_bufs = account_pipe_buffers(user, pipe_bufs, 1); pipe_bufs = 1; } - if (too_many_pipe_buffers_hard(user_bufs)) + if (too_many_pipe_buffers_hard(user_bufs) && is_unprivileged_user()) goto out_revert_acct; pipe->bufs = kcalloc(pipe_bufs, sizeof(struct pipe_buffer), @@ -1069,7 +1074,7 @@ static long pipe_set_size(struct pipe_in if (nr_pages > pipe->buffers && (too_many_pipe_buffers_hard(user_bufs) || too_many_pipe_buffers_soft(user_bufs)) && - !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) { + is_unprivileged_user()) { ret = -EPERM; goto out_revert_acct; }