Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp5741359imm;
        Tue, 16 Oct 2018 15:34:50 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60tCEzy6svgSSjAIOIJhzShFNt/Qad8Olal0ArkMf4+e0pFSM9YVt8rJYEig6K4mgBA4qj1
X-Received: by 2002:a63:f5a:: with SMTP id 26-v6mr21995154pgp.100.1539729290754;
        Tue, 16 Oct 2018 15:34:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539729290; cv=none;
        d=google.com; s=arc-20160816;
        b=ECz0SENkQQu9ZR3hcgJs6tlgBKmlIio1cTGr8FdjoZgBHVvJFqiPf9AqLFUMC/Sfj/
         m+HV8b7wcnt17RCUhN64m4TBbFhsTh0+tH1Bceh9acLdGm7pNmH8Hrexnpw+d7Fp21Kc
         g4Lh8TBDFO67R/S7r+5QiWneaZDwT8sOlBzTyA/moNNeJYWBpXO1PX5/M8hYot11jBRf
         GtR7RcU/RfRpU74FZMFd094K0TxS2B3bQtM4lt4QZZVpMHBIMunqR2eoxKg51mDvX7tf
         kvHMVz/E3k/LA5qdGqlDkqwL2GXCC4FUuy60ZhWmoOW2ULlYIdPQ+NEMTr1FLC0SOkA8
         FfIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature;
        bh=sfOoDF6FWD9iasbDrAI9VfXptLBVqHrJU0kEcmR0Evw=;
        b=ZKQ07l2gdRceCr6jsUTDuSjNLN4haCns0pgFvP/MU6RgeBowGPdim4VJak1zZsD9G8
         KeXiOKRF3hGwd4waCK3a18pQ5uwbwvY1P+3+zlBu0CVUJpNzhhFlVOlF05kIkFmd8Nim
         F3QjMuBP14xoOt6AizmRxz9UFNwkRkIlpSIArO4fId7tPgy5DJKtfPr8QdUpr6tJ2MZD
         YHEyRCJJtTwfUllNV44h6MwpBgBeb3C+1sn36IbdhUX3mnCrhaogGKJrF9oOx8usmmmM
         TUJodvtwFALVkjQtyQDSv3swfdK9Oz8CWShY6mn0bnT6bE86zeUL0fhtAYXZ42x9PvDK
         5SwA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@brauner.io header.s=google header.b=FF64v1W5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g9-v6si15722555plb.400.2018.10.16.15.34.35;
        Tue, 16 Oct 2018 15:34:50 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@brauner.io header.s=google header.b=FF64v1W5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727306AbeJQG0e (ORCPT <rfc822;brice.berna@gmail.com>
        + 99 others); Wed, 17 Oct 2018 02:26:34 -0400
Received: from mail-wm1-f65.google.com ([209.85.128.65]:51670 "EHLO
        mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726663AbeJQG02 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 17 Oct 2018 02:26:28 -0400
Received: by mail-wm1-f65.google.com with SMTP id 143-v6so86885wmf.1
        for <linux-kernel@vger.kernel.org>; Tue, 16 Oct 2018 15:33:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=brauner.io; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=sfOoDF6FWD9iasbDrAI9VfXptLBVqHrJU0kEcmR0Evw=;
        b=FF64v1W5+Q38kFsegoAzakYC0ObJRSx9FdE1BfNF7H0Pc/x2tGig/Ypb5mMrvp+B5Q
         VQD+Ejm0w4QS4JAoj8uPn7JwuauyfTStMEpUuabxiyWtWft7FhNOd4TsO8nC6pLQJhNY
         I+KEsK3L9bj/TKivZnVHoFPK9Dt5cT+LYHN7hjmNiRy0zezD65XN5esylgk2aEh6V+pH
         a/c1RJJ/oS4cqgIjKVuP3IeKUo30N/gApD01J+Gd5uCvtEfYB/04JcnyJaXLkwl3sX1a
         hA/sZtNmgkiOyOfs7R7/Lm8L+blDznMoGB2Pz6vLw8Dcwv7w/Uko/58rjiyOZcCN6n1l
         ddBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=sfOoDF6FWD9iasbDrAI9VfXptLBVqHrJU0kEcmR0Evw=;
        b=mKo5N7eB1/eVB8iUbaKRleD9OTeicNnOYA4/qnsIg4CqiGFADh+dkLQ3gLg3G5h7zv
         RCDTaUoX+qzDSyn6QscjJYp4SO8AF+ezdsBIzP3+XaTCj/URoZvj9rMo+b/32VNhC77k
         9x5n8CH5WulkkRrxClokeg+Tb9alny+8osPnvZXfmraLv46hQqZneza9N0mnRQsIhFLA
         XVas2Zf/wYU0TQUTAiY+oEObjXi24qvCAoMlFfsK1Iv+o8cEimvfkBu7KiXqSumCKu10
         YeYlLCQhpT49jBNqmo3krusESLe5RVjZ5xcB/iR42BhBk4dTu39ezQ7Thsp4/coNYpqD
         UCuw==
X-Gm-Message-State: ABuFfoiIJEg9NfjXtUhWLUsSswxOqDiFUx7phadBiLtADEJeyAD7UG4q
        dm8cpV8MT1tgiDPQVnRF/HqUHA==
X-Received: by 2002:a1c:1984:: with SMTP id 126-v6mr96709wmz.7.1539729234612;
        Tue, 16 Oct 2018 15:33:54 -0700 (PDT)
Received: from localhost.localdomain ([2a02:8070:8895:9700:8197:8849:535a:4f00])
        by smtp.gmail.com with ESMTPSA id x8-v6sm35084836wrd.54.2018.10.16.15.33.53
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 16 Oct 2018 15:33:53 -0700 (PDT)
From:   Christian Brauner <christian@brauner.io>
To:     keescook@chromium.org, linux-kernel@vger.kernel.org
Cc:     ebiederm@xmission.com, mcgrof@kernel.org,
        akpm@linux-foundation.org, joe.lawrence@redhat.com,
        longman@redhat.com, linux@dominikbrodowski.net,
        viro@zeniv.linux.org.uk, adobriyan@gmail.com,
        linux-api@vger.kernel.org, Christian Brauner <christian@brauner.io>
Subject: [PATCH v3 2/2] sysctl: handle overflow for file-max
Date:   Wed, 17 Oct 2018 00:33:22 +0200
Message-Id: <20181016223322.16844-3-christian@brauner.io>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20181016223322.16844-1-christian@brauner.io>
References: <20181016223322.16844-1-christian@brauner.io>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Currently, when writing

echo 18446744073709551616 > /proc/sys/fs/file-max

/proc/sys/fs/file-max will overflow and be set to 0. That quickly
crashes the system.
This commit sets the max and min value for file-max and returns -EINVAL
when a long int is exceeded. Any higher value cannot currently be used as
the percpu counters are long ints and not unsigned integers. This behavior
also aligns with other tuneables that return -EINVAL when their range is
exceeded. See e.g. [1], [2] and others.

[1]: fb910c42cceb ("sysctl: check for UINT_MAX before unsigned int min/max")
[2]: 196851bed522 ("s390/topology: correct topology mode proc handler")

Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Christian Brauner <christian@brauner.io>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
v2->v3:
- unchanged

v2->v1:
- consistenly fail on overflow

v0->v1:
- if max value is < than ULONG_MAX use max as upper bound
- (Dominik) remove double "the" from commit message
---
 kernel/sysctl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 102aa7a65687..93456e3a90cd 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -128,6 +128,7 @@ static int __maybe_unused one = 1;
 static int __maybe_unused two = 2;
 static int __maybe_unused four = 4;
 static unsigned long one_ul = 1;
+static unsigned long long_max = LONG_MAX;
 static int one_hundred = 100;
 static int one_thousand = 1000;
 #ifdef CONFIG_PRINTK
@@ -1697,6 +1698,8 @@ static struct ctl_table fs_table[] = {
 		.maxlen		= sizeof(files_stat.max_files),
 		.mode		= 0644,
 		.proc_handler	= proc_doulongvec_minmax,
+		.extra1		= &zero,
+		.extra2		= &long_max,
 	},
 	{
 		.procname	= "nr_open",
@@ -2813,6 +2816,10 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
 				break;
 			if (neg)
 				continue;
+			if ((max && val > *max) || (min && val < *min)) {
+				err = -EINVAL;
+				break;
+			}
 			val = convmul * val / convdiv;
 			if ((min && val < *min) || (max && val > *max))
 				continue;
-- 
2.17.1