From patchwork Fri Apr 27 21:00:32 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Waiman Long X-Patchwork-Id: 10369833 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C242C601BE for ; Fri, 27 Apr 2018 21:01:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B1D55294A0 for ; Fri, 27 Apr 2018 21:01:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A4A4A294A8; Fri, 27 Apr 2018 21:01:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 41329294A0 for ; Fri, 27 Apr 2018 21:01:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759077AbeD0VAz (ORCPT ); Fri, 27 Apr 2018 17:00:55 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:45694 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1759084AbeD0VAw (ORCPT ); Fri, 27 Apr 2018 17:00:52 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C70E940858F2; Fri, 27 Apr 2018 21:00:51 +0000 (UTC) Received: from llong.com (dhcp-17-164.bos.redhat.com [10.18.17.164]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7D94B10B2B44; Fri, 27 Apr 2018 21:00:51 +0000 (UTC) From: Waiman Long To: "Luis R. Rodriguez" , Kees Cook , Andrew Morton , Jonathan Corbet Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, Al Viro , Matthew Wilcox , "Eric W. Biederman" , Waiman Long Subject: [PATCH v6 2/8] proc/sysctl: Provide additional ctl_table.flags checks Date: Fri, 27 Apr 2018 17:00:32 -0400 Message-Id: <1524862838-8247-3-git-send-email-longman@redhat.com> In-Reply-To: <1524862838-8247-1-git-send-email-longman@redhat.com> References: <1524862838-8247-1-git-send-email-longman@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 27 Apr 2018 21:00:51 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 27 Apr 2018 21:00:51 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'longman@redhat.com' RCPT:'' Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Checking code is added to provide the following additional ctl_table.flags checks: 1) No unknown flag is allowed. 2) Minimum of a range cannot be larger than the maximum value. 3) The signed and unsigned flags are mutually exclusive. 4) The proc_handler should be consistent with the signed or unsigned flags. The separation of signed and unsigned flags helps to provide more comprehensive checking than it would have been if there is only one flag available. Signed-off-by: Waiman Long --- fs/proc/proc_sysctl.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c index 8989936..fb09454 100644 --- a/fs/proc/proc_sysctl.c +++ b/fs/proc/proc_sysctl.c @@ -1092,6 +1092,64 @@ static int sysctl_check_table_array(const char *path, struct ctl_table *table) return err; } +/* + * This code assumes that only one integer value is allowed in an integer + * sysctl when one of the clamping flags is used. If that assumption is no + * longer true, we may need to add another flag to indicate the entry size. + */ +static int sysctl_check_flags(const char *path, struct ctl_table *table) +{ + int err = 0; + + if ((table->flags & ~CTL_TABLE_FLAGS_ALL) || + ((table->flags & CTL_FLAGS_CLAMP_RANGE) == CTL_FLAGS_CLAMP_RANGE)) + err = sysctl_err(path, table, "invalid flags"); + + if (table->flags & CTL_FLAGS_CLAMP_RANGE) { + int range_err = 0; + bool is_int = (table->maxlen == sizeof(int)); + + if (!is_int && (table->maxlen != sizeof(long))) { + range_err++; + } else if (!table->extra1 || !table->extra2) { + /* No min > max checking needed */ + } else if (table->flags & CTL_FLAGS_CLAMP_UNSIGNED_RANGE) { + unsigned long min, max; + + min = is_int ? *(unsigned int *)table->extra1 + : *(unsigned long *)table->extra1; + max = is_int ? *(unsigned int *)table->extra2 + : *(unsigned long *)table->extra2; + range_err += (min > max); + } else { /* table->flags & CTL_FLAGS_CLAMP_SIGNED_RANGE */ + + long min, max; + + min = is_int ? *(int *)table->extra1 + : *(long *)table->extra1; + max = is_int ? *(int *)table->extra2 + : *(long *)table->extra2; + range_err += (min > max); + } + + /* + * proc_handler and flag consistency check. + */ + if (((table->proc_handler == proc_douintvec_minmax) || + (table->proc_handler == proc_doulongvec_minmax)) && + !(table->flags & CTL_FLAGS_CLAMP_UNSIGNED_RANGE)) + range_err++; + + if ((table->proc_handler == proc_dointvec_minmax) && + !(table->flags & CTL_FLAGS_CLAMP_SIGNED_RANGE)) + range_err++; + + if (range_err) + err |= sysctl_err(path, table, "Invalid range"); + } + return err; +} + static int sysctl_check_table(const char *path, struct ctl_table *table) { int err = 0; @@ -1111,6 +1169,8 @@ static int sysctl_check_table(const char *path, struct ctl_table *table) (table->proc_handler == proc_doulongvec_ms_jiffies_minmax)) { if (!table->data) err |= sysctl_err(path, table, "No data"); + if (table->flags) + err |= sysctl_check_flags(path, table); if (!table->maxlen) err |= sysctl_err(path, table, "No maxlen"); else