Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp8955imm; Tue, 16 Oct 2018 16:47:00 -0700 (PDT) X-Google-Smtp-Source: ACcGV61m5lnE/hrx7qXQPDu4Q9rnPZqbQMuwM4BMd4iIEwckKfRTPdAw7sgxkmk9v+UuUh+fm4IB X-Received: by 2002:a63:d556:: with SMTP id v22-v6mr21228676pgi.357.1539733620873; Tue, 16 Oct 2018 16:47:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539733620; cv=none; d=google.com; s=arc-20160816; b=XHwRzdWc418eXLNiBRxat5Z8+gRB0VtHhlcAuNw2IXBeTqoYw1ABGNHDV7gu9k3XYI 43kNqWQ+NKoOLgOaOD/CzhIOMDlOiw7nlcuh2logwWAZY8S37ZnllDV8WiS19aWrYnDW BZ4hkyxl9vqirn9lLAxz9HQgnZKCPn/b7zGagp0Yj1Bx7bxqladpvnTw7I9pxD+hEhml hLb2Wc+RfTz4UhfDGMv4S37BA5gQei/zx8Jg1hV9+Fzksgprv7mD4CXjR2K+y+8+S+e3 Z+ZMXI7MJgA9gg0dPRDAE2VbH68pZyYU1azk76cR9YQe8tqurj1v7OCQo9MbHLKcerXR EDsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:subject:mime-version:user-agent :message-id:in-reply-to:date:references:cc:to:from; bh=nURpwUJjulhmh1XhgAoP/5iRAGQX3hjWas24nHyRmP4=; b=WdWOvplmGAyFxrESJMh877UEcc+isHgC26FrgILwbh/LKum+oneK0Lc1EaZ/k9y/nD Y8pIV79uX2bYJGT0sjShuOux9R2/nGmNY4RifMdiQbtrS/tqBQLoIFiej+VOnfsCb5Hc hh5o5g08bAicKLWdPlj/ZMQraYaxlEL3w68YZYPd1BBr5OoEa4OhUR90UIjF3w3ukJlg WVtQzY0JVQESGaA+D3VFGHySOiXVBZHtvC23Iv9hXrLu+XFRBO/jeEe14BpQPp7SyfyD ObKpfu1VRcQc+etmjKswokIlZ10DJX2CulwdZFbIUdz56UlvtAwQAMh1Yh2BLDv40AEJ l3Xw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f25-v6si15195393pgb.170.2018.10.16.16.46.45; Tue, 16 Oct 2018 16:47:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727217AbeJQHiy (ORCPT + 99 others); Wed, 17 Oct 2018 03:38:54 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:59376 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727064AbeJQHiy (ORCPT ); Wed, 17 Oct 2018 03:38:54 -0400 Received: from in02.mta.xmission.com ([166.70.13.52]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1gCZ2L-0000Hr-68; Tue, 16 Oct 2018 17:46:05 -0600 Received: from 67-3-154-154.omah.qwest.net ([67.3.154.154] helo=x220.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1gCZ2K-0002Go-DS; Tue, 16 Oct 2018 17:46:05 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Christian Brauner Cc: keescook@chromium.org, linux-kernel@vger.kernel.org, mcgrof@kernel.org, akpm@linux-foundation.org, joe.lawrence@redhat.com, longman@redhat.com, linux@dominikbrodowski.net, viro@zeniv.linux.org.uk, adobriyan@gmail.com, linux-api@vger.kernel.org References: <20181016223322.16844-1-christian@brauner.io> <20181016223322.16844-2-christian@brauner.io> Date: Tue, 16 Oct 2018 18:45:44 -0500 In-Reply-To: <20181016223322.16844-2-christian@brauner.io> (Christian Brauner's message of "Wed, 17 Oct 2018 00:33:21 +0200") Message-ID: <877eihjw0n.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1gCZ2K-0002Go-DS;;;mid=<877eihjw0n.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.154.154;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX19GZtdtNAFD3uALoyWqGOAVZI7qHtbdG5Q= X-SA-Exim-Connect-IP: 67.3.154.154 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa07.xmission.com X-Spam-Level: X-Spam-Status: No, score=-0.2 required=8.0 tests=ALL_TRUSTED,BAYES_50, DCC_CHECK_NEGATIVE,TVD_RCVD_IP,T_TM2_M_HEADER_IN_MSG,T_TooManySym_01 autolearn=disabled version=3.4.1 X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;Christian Brauner X-Spam-Relay-Country: X-Spam-Timing: total 361 ms - load_scoreonly_sql: 0.06 (0.0%), signal_user_changed: 3.2 (0.9%), b_tie_ro: 2.2 (0.6%), parse: 0.86 (0.2%), extract_message_metadata: 16 (4.5%), get_uri_detail_list: 2.7 (0.7%), tests_pri_-1000: 8 (2.2%), tests_pri_-950: 1.19 (0.3%), tests_pri_-900: 0.99 (0.3%), tests_pri_-400: 37 (10.4%), check_bayes: 36 (9.9%), b_tokenize: 10 (2.7%), b_tok_get_all: 15 (4.2%), b_comp_prob: 3.1 (0.9%), b_tok_touch_all: 4.2 (1.2%), b_finish: 0.62 (0.2%), tests_pri_0: 283 (78.3%), check_dkim_signature: 0.53 (0.1%), check_dkim_adsp: 2.9 (0.8%), tests_pri_10: 2.0 (0.6%), tests_pri_500: 5 (1.5%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v3 1/2] sysctl: handle overflow in proc_get_long X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Christian Brauner writes: > proc_get_long() is a funny function. It uses simple_strtoul() and for a > good reason. proc_get_long() wants to always succeed the parse and return > the maybe incorrect value and the trailing characters to check against a > pre-defined list of acceptable trailing values. > However, simple_strtoul() explicitly ignores overflows which can cause > funny things like the following to happen: > > echo 18446744073709551616 > /proc/sys/fs/file-max > cat /proc/sys/fs/file-max > 0 > > (Which will cause your system to silently die behind your back.) > > On the other hand kstrtoul() does do overflow detection but does not return > the trailing characters, and also fails the parse when anything other than > '\n' is a trailing character whereas proc_get_long() wants to be more > lenient. > > Now, before adding another kstrtoul() function let's simply add a static > parse strtoul_lenient() which: > - fails on overflow with -ERANGE > - returns the trailing characters to the caller > > The reason why we should fail on ERANGE is that we already do a partial > fail on overflow right now. Namely, when the TMPBUFLEN is exceeded. So we > already reject values such as 184467440737095516160 (21 chars) but accept > values such as 18446744073709551616 (20 chars) but both are overflows. So > we should just always reject 64bit overflows and not special-case this > based on the number of chars. > > Acked-by: Kees Cook > Signed-off-by: Christian Brauner > Signed-off-by: Christian Brauner > --- > v2->v3: > - (Kees) s/#include <../lib/kstrtox.h>/#include "../lib/kstrtox.h"/g > - (Kees) document strtoul_lenient() > > v1->v2: > - s/sysctl_cap_erange/sysctl_lenient/g > - consistenly fail on overflow > > v0->v1: > - s/sysctl_strtoul_lenient/strtoul_cap_erange/g > - (Al) remove bool overflow return argument from strtoul_cap_erange > - (Al) return ULONG_MAX on ERANGE from strtoul_cap_erange > - (Dominik) fix spelling in commit message > --- > kernel/sysctl.c | 40 +++++++++++++++++++++++++++++++++++++++- > 1 file changed, 39 insertions(+), 1 deletion(-) > > diff --git a/kernel/sysctl.c b/kernel/sysctl.c > index cc02050fd0c4..102aa7a65687 100644 > --- a/kernel/sysctl.c > +++ b/kernel/sysctl.c > @@ -68,6 +68,8 @@ > #include > #include > > +#include "../lib/kstrtox.h" > + > #include > #include > > @@ -2065,6 +2067,41 @@ static void proc_skip_char(char **buf, size_t *size, const char v) > } > } > > +/** > + * strtoul_lenient - parse an ASCII formatted integer from a buffer and only > + * fail on overflow > + * > + * @cp: kernel buffer containing the string to parse > + * @endp: pointer to store the trailing characters > + * @base: the base to use > + * @res: where the parsed integer will be stored > + * > + * In case of success 0 is returned and @res will contain the parsed integer, > + * @endp will hold any trailing characters. > + * This function will fail the parse on overflow. If there wasn't an overflow > + * the function will defer the decision what characters count as invalid to the > + * caller. > + */ > +static int strtoul_lenient(const char *cp, char **endp, unsigned int base, > + unsigned long *res) > +{ > + unsigned long long result; > + unsigned int rv; > + > + cp = _parse_integer_fixup_radix(cp, &base); > + rv = _parse_integer(cp, base, &result); > + if ((rv & KSTRTOX_OVERFLOW) || (result != (unsigned long)result)) > + return -ERANGE; > + > + cp += rv; > + > + if (endp) > + *endp = (char *)cp; > + > + *res = (unsigned long)result; > + return 0; > +} > + > #define TMPBUFLEN 22 > /** > * proc_get_long - reads an ASCII formatted integer from a user buffer > @@ -2108,7 +2145,8 @@ static int proc_get_long(char **buf, size_t *size, > if (!isdigit(*p)) > return -EINVAL; > > - *val = simple_strtoul(p, &p, 0); > + if (strtoul_lenient(p, &p, 0, val)) > + return -EINVAL; Is it deliberate that on an error stroul_lenient returns -ERANGE but then proc_get_long returns -EINVAL? That feels wrong. The write system call does not permit -ERANGE or -EINVAL for the contents of the data so both options appear equally bad from a standards point of view. I am just wondering what the thinking is here. > len = p - tmp;