Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp38285imm; Tue, 16 Oct 2018 17:25:52 -0700 (PDT) X-Google-Smtp-Source: ACcGV63P0wYrehRSsLLimdO8ESjeLsmMl1PSsIc/TOqkNCfYYJVWW/AQ6SOKr7upM6YNieYYT9pm X-Received: by 2002:a17:902:4083:: with SMTP id c3-v6mr13696229pld.308.1539735952603; Tue, 16 Oct 2018 17:25:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539735952; cv=none; d=google.com; s=arc-20160816; b=0EWaflfuwj36sISnCJmG8vW7m/dQIrKB+GjVW6/r3sUEuEwQUHUgMbrIedAUFgPo08 rCHV1SZPBFij0onya/x04gvtw66BBibeDBcc2dgY9KB2KVfK607hVk31Cc1nS8ySH12E 45XzoQKWziruHmg1Wlr9zQx7T/kD+hbsICvdmvYRJgLV71ghWH3hjwmS1qP5nJo3v5ZJ nKoUa9G9m+57FQuNElHKXXdMJ5r6ClP6tkZPOjMZx7QXlkmjl4KpbQsAn9St6FGPRwTY Vi9FaCaUImzUGqJ+msmzJ+FzHMih2RIrlbV49akuKeUZaPdiRjGSF3pGbbrN1EFMLcZq SR4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=3yiyXevFQcKiSav9R+PPf007BSwBS50KV+i99Exngp8=; b=DVMOvLr91PeoyRgbbibk/aK1XclQikSXgoWEXHiGOqYAKOAO9apGzA2n3gq2tk7Qh0 beWzXR5F6CjXM8MMjfO4KAMe4wfVdshcOtkg1YP4pOTOimAxIEEIwQU9/8UVHIwEwIaS mCBAMMh87txV+PzKap8wvL9rBJlEjTxjfZqwzz0Kb3gqQzYZJUZvGZhvaH1Ne8zO03A5 0u64X8nKKyQOMDTL1OwDIPZ1mYOG9bODpsv7vdS5FkhUQOtbSNG2TX0P3JxtFzAyNpw2 UcSxI2QmpgbYThAbBdUNB3exzjdHSDEWMe4kGKCVLFPod0Zml2Dg4A9cLHMo34yFJI6H MqGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=CJALoDOv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g7-v6si15102423plb.167.2018.10.16.17.25.35; Tue, 16 Oct 2018 17:25:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@brauner.io header.s=google header.b=CJALoDOv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727171AbeJQISM (ORCPT + 99 others); Wed, 17 Oct 2018 04:18:12 -0400 Received: from mail-lf1-f67.google.com ([209.85.167.67]:43522 "EHLO mail-lf1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727217AbeJQISM (ORCPT ); Wed, 17 Oct 2018 04:18:12 -0400 Received: by mail-lf1-f67.google.com with SMTP id p34-v6so18400546lfg.10 for ; Tue, 16 Oct 2018 17:25:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brauner.io; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3yiyXevFQcKiSav9R+PPf007BSwBS50KV+i99Exngp8=; b=CJALoDOvEA2Jink0bHra/Epb/mGqOX8SF9HymFLjBgYNLu9rTXSnWTGVt4/ni3VLA8 6R4ZOvwQyAbY+x4tOozk2vGaOv49F0EU6Av2kkKbPMOH3rk9V95k9adiGCLbdWmAftcy BcY45BtTm1n3eb6I3M5ZRjz3sJYxHIRE5Tt20XmD590JQMGg8rjZLu2TWqcGZxN53LmM LoP+jJ+7922z7st4m1PwzSG+BVws3YIz0/sVnIQcghNhxh2/bVmX/OL8xWtDKyNKAFgC O6hopZlql5uzD+XRZf2wvIPzQtoghpvWWcYgTB/tbVMs/a5AzPT49G/edNsowYLx1Y6h woEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3yiyXevFQcKiSav9R+PPf007BSwBS50KV+i99Exngp8=; b=O7dwtsDEs+io4PywIztIb8/WgCoz80dj4tMdv9k1rHaDwIANgkL1npc8fUfELm9iGZ tLgG5elfF7Ra3RpEdqKVJeygGOk5YJ093pySfhdVEbffKAd2H8woq6DO3QLJhVA72qb/ hGcweVKf0XIJSpe2YmYcmWZCy1l/TpA4+bgXBhlI8QH3+KIptoQmIqeN5/Hbel5qLDv5 KdEDX4bA1z0oFATQntdawYYGX/KlSlDJ9pxXFQ2fi9SOJVf78XysbzlSxhVNUGt3o6Sb M9P0ZHKjti237k9BC4SDJlBNxMAGguH6PKOMSb0E7+k6oo2+FfLsKA1aXMusoZjx/YZh v3vA== X-Gm-Message-State: ABuFfojRekrMbVvy1QVp+IXhG4tbdMo/thnaFW4fDwxHdmoeKca6YaHi QrQQ+MKIAjy3CKpo1Eb8eA2t5ooCNoAHUhQ3xo6GMg== X-Received: by 2002:a19:be46:: with SMTP id o67-v6mr13312129lff.139.1539735909822; Tue, 16 Oct 2018 17:25:09 -0700 (PDT) MIME-Version: 1.0 References: <20181016223322.16844-1-christian@brauner.io> <20181016223322.16844-2-christian@brauner.io> <877eihjw0n.fsf@xmission.com> In-Reply-To: <877eihjw0n.fsf@xmission.com> From: Christian Brauner Date: Wed, 17 Oct 2018 02:24:57 +0200 Message-ID: Subject: Re: [PATCH v3 1/2] sysctl: handle overflow in proc_get_long To: "Eric W . Biederman" Cc: Kees Cook , LKML , "Luis R. Rodriguez" , Andrew Morton , Joe Lawrence , Waiman Long , Dominik Brodowski , Al Viro , Alexey Dobriyan , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 17, 2018 at 1:46 AM Eric W. Biederman wrote: > > Christian Brauner writes: > > > proc_get_long() is a funny function. It uses simple_strtoul() and for a > > good reason. proc_get_long() wants to always succeed the parse and return > > the maybe incorrect value and the trailing characters to check against a > > pre-defined list of acceptable trailing values. > > However, simple_strtoul() explicitly ignores overflows which can cause > > funny things like the following to happen: > > > > echo 18446744073709551616 > /proc/sys/fs/file-max > > cat /proc/sys/fs/file-max > > 0 > > > > (Which will cause your system to silently die behind your back.) > > > > On the other hand kstrtoul() does do overflow detection but does not return > > the trailing characters, and also fails the parse when anything other than > > '\n' is a trailing character whereas proc_get_long() wants to be more > > lenient. > > > > Now, before adding another kstrtoul() function let's simply add a static > > parse strtoul_lenient() which: > > - fails on overflow with -ERANGE > > - returns the trailing characters to the caller > > > > The reason why we should fail on ERANGE is that we already do a partial > > fail on overflow right now. Namely, when the TMPBUFLEN is exceeded. So we > > already reject values such as 184467440737095516160 (21 chars) but accept > > values such as 18446744073709551616 (20 chars) but both are overflows. So > > we should just always reject 64bit overflows and not special-case this > > based on the number of chars. > > > > Acked-by: Kees Cook > > Signed-off-by: Christian Brauner > > Signed-off-by: Christian Brauner > > --- > > v2->v3: > > - (Kees) s/#include <../lib/kstrtox.h>/#include "../lib/kstrtox.h"/g > > - (Kees) document strtoul_lenient() > > > > v1->v2: > > - s/sysctl_cap_erange/sysctl_lenient/g > > - consistenly fail on overflow > > > > v0->v1: > > - s/sysctl_strtoul_lenient/strtoul_cap_erange/g > > - (Al) remove bool overflow return argument from strtoul_cap_erange > > - (Al) return ULONG_MAX on ERANGE from strtoul_cap_erange > > - (Dominik) fix spelling in commit message > > --- > > kernel/sysctl.c | 40 +++++++++++++++++++++++++++++++++++++++- > > 1 file changed, 39 insertions(+), 1 deletion(-) > > > > diff --git a/kernel/sysctl.c b/kernel/sysctl.c > > index cc02050fd0c4..102aa7a65687 100644 > > --- a/kernel/sysctl.c > > +++ b/kernel/sysctl.c > > @@ -68,6 +68,8 @@ > > #include > > #include > > > > +#include "../lib/kstrtox.h" > > + > > #include > > #include > > > > @@ -2065,6 +2067,41 @@ static void proc_skip_char(char **buf, size_t *size, const char v) > > } > > } > > > > +/** > > + * strtoul_lenient - parse an ASCII formatted integer from a buffer and only > > + * fail on overflow > > + * > > + * @cp: kernel buffer containing the string to parse > > + * @endp: pointer to store the trailing characters > > + * @base: the base to use > > + * @res: where the parsed integer will be stored > > + * > > + * In case of success 0 is returned and @res will contain the parsed integer, > > + * @endp will hold any trailing characters. > > + * This function will fail the parse on overflow. If there wasn't an overflow > > + * the function will defer the decision what characters count as invalid to the > > + * caller. > > + */ > > +static int strtoul_lenient(const char *cp, char **endp, unsigned int base, > > + unsigned long *res) > > +{ > > + unsigned long long result; > > + unsigned int rv; > > + > > + cp = _parse_integer_fixup_radix(cp, &base); > > + rv = _parse_integer(cp, base, &result); > > + if ((rv & KSTRTOX_OVERFLOW) || (result != (unsigned long)result)) > > + return -ERANGE; > > + > > + cp += rv; > > + > > + if (endp) > > + *endp = (char *)cp; > > + > > + *res = (unsigned long)result; > > + return 0; > > +} > > + > > #define TMPBUFLEN 22 > > /** > > * proc_get_long - reads an ASCII formatted integer from a user buffer > > @@ -2108,7 +2145,8 @@ static int proc_get_long(char **buf, size_t *size, > > if (!isdigit(*p)) > > return -EINVAL; > > > > - *val = simple_strtoul(p, &p, 0); > > + if (strtoul_lenient(p, &p, 0, val)) > > + return -EINVAL; > > Is it deliberate that on an error stroul_lenient returns -ERANGE but > then proc_get_long returns -EINVAL? That feels wrong. The write system Yes, because all other integer parsing function return ERANGE as well. Right now there are no other users but if someone wants to use that function I wanted it to behave like the others. > call does not permit -ERANGE or -EINVAL for the contents of the data > so both options appear equally bad from a standards point of view. Right, but if you write a value that exceeds the buffer of 22 chars that is used to parse you already get EINVAL back on current kernels. So it didn't feel like returning EOVERFLOW or ERANGE might make sense. I saw a change in 4.10 or 4.11 as well that used EINVAL on UINT_MAX overflow or something. EINVAL might be enough information for userspace here ?/. > > I am just wondering what the thinking is here. > > > len = p - tmp;