Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4ACF8C61DA4 for ; Wed, 22 Feb 2023 07:54:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231247AbjBVHyA (ORCPT ); Wed, 22 Feb 2023 02:54:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40538 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231229AbjBVHx6 (ORCPT ); Wed, 22 Feb 2023 02:53:58 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD3AB2A15A for ; Tue, 21 Feb 2023 23:53:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1677052388; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ljX43G0wEY8L63/ppMMsMkg7cRFEwM1I5WynBYgGF5o=; b=ZF0OSg9qYp3eGXbcDfltZ5+Yz5QHm2ahcT9lBgfVdeX5s1jzCITNZiUfmdWR9yT01+aIOE Wgs2DLVvpfM+HxgGtpDcBEWbJTH+zPfWmGaJSh2FUoA0WCGGZiNUE21nXjzN053RzRqlpm OLnwwFlHvSSd2L1/nOM9mwPnOz7wc0w= Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com [209.85.214.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-534-yyL4FTQZPxC0U-CogIPcyg-1; Wed, 22 Feb 2023 02:53:06 -0500 X-MC-Unique: yyL4FTQZPxC0U-CogIPcyg-1 Received: by mail-pl1-f199.google.com with SMTP id e4-20020a170902cf4400b00199148d00f2so3444272plg.17 for ; Tue, 21 Feb 2023 23:53:06 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677052385; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ljX43G0wEY8L63/ppMMsMkg7cRFEwM1I5WynBYgGF5o=; b=2ga/e7KjWukGbKKa6uRX2FhTTBV+DOBoe9GlgwurDu/BjSu/m5l8e1h6RZItNINspi k963+QXbOaGBAF0ColahzfrXy+TiS4ZFocuCD9rESj70Rs095bRZEz43QQZpiCiiYVGH l4Lq2ZYQ43HLXVYatYV9Hw7cJEGLRDEN9j3a1GkR6laIhZ6ZYqIr3jvI0gBDfOAlMo9y gQbzc+ewDMgS5bZkvO6gkJLrB7d88D1xvPq6Q91i44yj836ipUravFeoPgZliQ7LjkUm /BsDWRlRlTS30AMqkpwPMVBwQFRAiuZSgcoLXmp7OlMybhjSmRU760/9DOnnhtx1Ecqm 27nQ== X-Gm-Message-State: AO0yUKX/U8EgiNZPaAWi5x1HgCtNKEkDg7956CAD0z0Iyfvrxm5F21Ft T6Hji/7lWJSuCAIy1tvPqK/t3sOQkJnDSSj73Ki/pXRrGuiFKDdZbbtHHtUaOdDsaNMcJTcMJCc YUTQ78DdcehKFvsJK8rp6VMtL3t8XUqQA1FkCRLqE X-Received: by 2002:a62:e906:0:b0:5a8:c0e0:3b2 with SMTP id j6-20020a62e906000000b005a8c0e003b2mr1331076pfh.45.1677052385598; Tue, 21 Feb 2023 23:53:05 -0800 (PST) X-Google-Smtp-Source: AK7set/h+aPFUm4SbrYbWk3iTTUpShGxZ6VUSjD4ik+PIQ2xgY3zYr2/zd6r5vbnkirTo15iRgIAj/K7nLMGyrknNUw= X-Received: by 2002:a62:e906:0:b0:5a8:c0e0:3b2 with SMTP id j6-20020a62e906000000b005a8c0e003b2mr1331073pfh.45.1677052385289; Tue, 21 Feb 2023 23:53:05 -0800 (PST) MIME-Version: 1.0 References: <20230210145823.756906-1-omosnace@redhat.com> <63f500ba.170a0220.c76fc.1642@mx.google.com> In-Reply-To: From: Ondrej Mosnacek Date: Wed, 22 Feb 2023 08:52:53 +0100 Message-ID: Subject: Re: [PATCH] sysctl: fix proc_dobool() usability To: Luis Chamberlain Cc: Kees Cook , Iurii Zaikin , Greg Kroah-Hartman , Jiri Slaby , linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 21, 2023 at 11:04 PM Luis Chamberlain wrote: > On Tue, Feb 21, 2023 at 09:34:49AM -0800, Kees Cook wrote: > > On Fri, Feb 10, 2023 at 03:58:23PM +0100, Ondrej Mosnacek wrote: > > > Currently proc_dobool expects a (bool *) in table->data, but sizeof(int) > > > in table->maxsize, because it uses do_proc_dointvec() directly. > > > > > > This is unsafe for at least two reasons: > > > 1. A sysctl table definition may use { .data = &variable, .maxsize = > > > sizeof(variable) }, not realizing that this makes the sysctl unusable > > > (see the Fixes: tag) and that they need to use the completely > > > counterintuitive sizeof(int) instead. > > > 2. proc_dobool() will currently try to parse an array of values if given > > > .maxsize >= 2*sizeof(int), but will try to write values of type bool > > > by offsets of sizeof(int), so it will not work correctly with neither > > > an (int *) nor a (bool *). There is no .maxsize validation to prevent > > > this. > > > > > > Fix this by: > > > 1. Constraining proc_dobool() to allow only one value and .maxsize == > > > sizeof(bool). > > > 2. Wrapping the original struct ctl_table in a temporary one with .data > > > pointing to a local int variable and .maxsize set to sizeof(int) and > > > passing this one to proc_dointvec(), converting the value to/from > > > bool as needed (using proc_dou8vec_minmax() as an example). > > > 3. Extending sysctl_check_table() to enforce proc_dobool() expectations. > > > 4. Fixing the proc_dobool() docstring (it was just copy-pasted from > > > proc_douintvec, apparently...). > > > 5. Converting all existing proc_dobool() users to set .maxsize to > > > sizeof(bool) instead of sizeof(int). > > > > > > Fixes: 83efeeeb3d04 ("tty: Allow TIOCSTI to be disabled") > > > Fixes: a2071573d634 ("sysctl: introduce new proc handler proc_dobool") > > > Signed-off-by: Ondrej Mosnacek > > > > Ah nice, thanks for tracking this down. > > > > Acked-by: Kees Cook > > Queued onto sysctl-next, will send to Linus as this is a fix too. Thanks, Luis! -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.