Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp116011img; Wed, 20 Mar 2019 15:30:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqxo+t0Kh5ENFXiAmhxS3ebe3ueEAFGkHZy4dTdzE8ZWdjfGzeczM87KTHX/F24Bur8Z25Rw X-Received: by 2002:a63:5c66:: with SMTP id n38mr332721pgm.15.1553121010019; Wed, 20 Mar 2019 15:30:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553121010; cv=none; d=google.com; s=arc-20160816; b=hMXcOzuKFwYP7NCe1UiTgt2oL8Tzubi6KEIvnJigYgSdtzge6242xd+pWw/L3BeL65 B4kowukGMy3vsmyCbbdk+NwDMrGASuvW0XnnUH3GO/2LH8LndXeg6yQIuNxUOp6cfg/i caTeNXoJ5+S24sNItkmYxmfWccEbq+89PuQHu99o3QZRP8hUCTLaJWdKnyeqtO5aztLl 96GyyhJxaen6SlhfyaVQDYW3C5fHcdG1gPAi0JEcgA33qQjfo8RizmM2h7cpKYDroQ0/ q4YXjEeh+UiC+AYUo9u5kozbSSGbmiF9rBWo6FiW++plU4Njks+NnAwMWcqtqnLVRRzT dGuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=DYaa3sSap9EzNyPtF8ZXKlbzOxq4cInzBuykp6Ou0k8=; b=MfnMtfKV1ptIM+44qlncbmA68lMp8VVliPAKR86QcDMxQPagqUmcZsB0wyVOO88Yaf nkoU139LM07kjS7XlsSBjDGDm4N1t3FDFTrmLxj8hQqAmQJH7FrF6V60D5bcxseeAUzd leas0o8b6zScjVA8pkUX9a8M+REKRxUJ4Apm6si6tsXjcMdt6lgZIz7N2blcIdd++3C+ GiRBYLruA03Lr6oA1h7P5HzJ3u9k6y1JvjqNpPy6zik9qoaONHKK97tiq52R532cqNen RzInhbNJ97MmXO0AMpPziK1n83P4yjch8c6Gp/ePiARfm5iZiWBwWN7Fn9HEdhGSsioc L80Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t9si2654490pgv.111.2019.03.20.15.29.54; Wed, 20 Mar 2019 15:30:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727766AbfCTW3H (ORCPT + 99 others); Wed, 20 Mar 2019 18:29:07 -0400 Received: from mail-yw1-f67.google.com ([209.85.161.67]:41487 "EHLO mail-yw1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727564AbfCTW3F (ORCPT ); Wed, 20 Mar 2019 18:29:05 -0400 Received: by mail-yw1-f67.google.com with SMTP id q128so3330609ywg.8; Wed, 20 Mar 2019 15:29:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=DYaa3sSap9EzNyPtF8ZXKlbzOxq4cInzBuykp6Ou0k8=; b=D3cUyCL5f3Uq6Pwh6F8E7U4Y+laz4LNCpxp4+99ssEfXQITBwb1pFomrd1XEMlEyy4 eidjmU31Ses8TOzr40HRTfBLKp9Ozf2uAXoiOF/ZZa6k/j4HgahqF66J9QtQLxSQBX/E 6IguPBSvxmZyTIqrC1C/SREpHhsInaRzu7shmK8JUq21w+1LDZaNNYG0acsiDnMJ/DnE qMv/SHyWqWq/2z3of0Wbnqlkd4CDUccMxaoQwi7iw6OLfsNAPEACuwBZxg7GvWlTMJtF 2chj1Sx8M820E/3dbYGcJ8PvpK9T3tx4Onup20B/HVqPM3pcM2az2nZIndMVK3EQCwdJ tCbA== X-Gm-Message-State: APjAAAXyh4AxnmmLWOIWk+qKZ8tkUpIrYWTN4c3rxQy31Qm7bVIVnqYu 7hNmezsJf65SL2XW4ZRs6AA= X-Received: by 2002:a5b:51:: with SMTP id e17mr386715ybp.64.1553120943931; Wed, 20 Mar 2019 15:29:03 -0700 (PDT) Received: from 42.do-not-panic.com (42.do-not-panic.com. [157.230.128.187]) by smtp.gmail.com with ESMTPSA id g1sm1052184ywf.0.2019.03.20.15.29.01 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 20 Mar 2019 15:29:02 -0700 (PDT) Received: by 42.do-not-panic.com (sSMTP sendmail emulation); Wed, 20 Mar 2019 22:29:00 +0000 From: Luis Chamberlain To: akpm@linux-foundation.org, keescook@chromium.org Cc: sandeen@redhat.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Luis Chamberlain Subject: [PATCH 6/6] sysctl: Fix proc_do_large_bitmap for large input buffers Date: Wed, 20 Mar 2019 22:28:31 +0000 Message-Id: <20190320222831.8243-7-mcgrof@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190320222831.8243-1-mcgrof@kernel.org> References: <20190320222831.8243-1-mcgrof@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Sandeen Today, proc_do_large_bitmap() truncates a large write input buffer to PAGE_SIZE - 1, which may result in misparsed numbers at the (truncated) end of the buffer. Further, it fails to notify the caller that the buffer was truncated, so it doesn't get called iteratively to finish the entire input buffer. Tell the caller if there's more work to do by adding the skipped amount back to left/*lenp before returning. To fix the misparsing, reset the position if we have completely consumed a truncated buffer (or if just one char is left, which may be a "-" in a range), and ask the caller to come back for more. Signed-off-by: Eric Sandeen Acked-by: Kees Cook Signed-off-by: Luis Chamberlain --- kernel/sysctl.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/kernel/sysctl.c b/kernel/sysctl.c index e1a8d785b839..ddc6c717355d 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -3159,9 +3159,13 @@ int proc_do_large_bitmap(struct ctl_table *table, int write, if (write) { char *kbuf, *p; + size_t skipped = 0; - if (left > PAGE_SIZE - 1) + if (left > PAGE_SIZE - 1) { left = PAGE_SIZE - 1; + /* How much of the buffer we'll skip this pass */ + skipped = *lenp - left; + } p = kbuf = memdup_user_nul(buffer, left); if (IS_ERR(kbuf)) @@ -3178,9 +3182,22 @@ int proc_do_large_bitmap(struct ctl_table *table, int write, while (!err && left) { unsigned long val_a, val_b; bool neg; + size_t saved_left; + /* In case we stop parsing mid-number, we can reset */ + saved_left = left; err = proc_get_long(&p, &left, &val_a, &neg, tr_a, sizeof(tr_a), &c); + /* + * If we consumed the entirety of a truncated buffer or + * only one char is left (may be a "-"), then stop here, + * reset, & come back for more. + */ + if ((left <= 1) && skipped) { + left = saved_left; + break; + } + if (err) break; if (val_a >= bitmap_len || neg) { @@ -3198,6 +3215,15 @@ int proc_do_large_bitmap(struct ctl_table *table, int write, err = proc_get_long(&p, &left, &val_b, &neg, tr_b, sizeof(tr_b), &c); + /* + * If we consumed all of a truncated buffer or + * then stop here, reset, & come back for more. + */ + if (!left && skipped) { + left = saved_left; + break; + } + if (err) break; if (val_b >= bitmap_len || neg || @@ -3216,6 +3242,7 @@ int proc_do_large_bitmap(struct ctl_table *table, int write, proc_skip_char(&p, &left, '\n'); } kfree(kbuf); + left += skipped; } else { unsigned long bit_a, bit_b = 0; -- 2.18.0