From patchwork Wed Jan 15 13:22:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Bouchinet X-Patchwork-Id: 13940436 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6B90C2419FB; Wed, 15 Jan 2025 13:22:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736947351; cv=none; b=L7QmPqGYSkGUXTT9atZTMpxftAtKn2PUZmP/W0mWPJPboBRGwAnytZyGBUD2qu63bvUrsmvDK1GLCf+3yN68No7T4dqCbQHR2bHRTgYxANxN8xiuH9FKFDmj87PEjBb/jeWYBqdctq9Lsy5YhCtgtT7e0ggmnMxD4QL7qjxcyDw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736947351; c=relaxed/simple; bh=8FT+T8aU3TftfixxJmtraKKBFWBo6FJdmCrAxVUyt3k=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NQW1W4K6VqY9uMjFJ2AHdPXDCoHxqK0aO6wTDjqJzN9UOM294p3pa/RMNZAM4w7SZFZLS+0DlHWE8hJMOArydXSF9aF0eNqE4U4HFan1r3P08A+2pZaMxWIMCxqz+6vkt38bQP8c5Oyp/XywKSTboohq13tXR95+IxKNdH3ygWA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=clip-os.org; spf=pass smtp.mailfrom=clip-os.org; dkim=pass (2048-bit key) header.d=clip-os.org header.i=@clip-os.org header.b=NLM66VuF; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=clip-os.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=clip-os.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=clip-os.org header.i=@clip-os.org header.b="NLM66VuF" Received: by mail.gandi.net (Postfix) with ESMTPSA id 7A4311C0004; Wed, 15 Jan 2025 13:22:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=clip-os.org; s=gm1; t=1736947341; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MeXdXRsq+WRoF78VssCvRBo8D6FOZGZKSuRnY8YcCBM=; b=NLM66VuFwyJTiqzfxgqPbIxfTG7LNO3iYJ/vH4P7GBVDVnDOw5Ff+BCGBwZ64NwAM2Uhjr osJjHsU0u/R01n9/RlglLZmUuGvyxqQHim1GmSmDxLeFqqfC3BCYvabnYOhHurXov8HZel dHdOY4k4qoTY2SMUMFd2BY3PJvcAsDh1rr5HGIhk0TC4wjwpTn9o9CytDHPSSgsdL7UrQz qWAHs6LLcK0KK7eM8Ez9Mf87FLFCvMzTV7CzUJZ01SK1QkipW9ggdhGB1AUT0B/Sr0g+pX LsOG4yswfd1+jQnYUaWwA0Inni0/kTmdam6ak1F5tZcp7WWZBSR5Nb0qCg4daA== From: nicolas.bouchinet@clip-os.org To: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Cc: Nicolas Bouchinet , Greg Kroah-Hartman , Jiri Slaby , Alexander Viro , Christian Brauner , Jan Kara , Luis Chamberlain , Kees Cook , Joel Granados , Andrew Morton , Neil Horman , Lin Feng , "Theodore Ts'o" Subject: [PATCH v4 1/2] coredump: Fixes core_pipe_limit sysctl proc_handler Date: Wed, 15 Jan 2025 14:22:08 +0100 Message-ID: <20250115132211.25400-2-nicolas.bouchinet@clip-os.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250115132211.25400-1-nicolas.bouchinet@clip-os.org> References: <20250115132211.25400-1-nicolas.bouchinet@clip-os.org> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: nicolas.bouchinet@clip-os.org From: Nicolas Bouchinet proc_dointvec converts a string to a vector of signed int, which is stored in the unsigned int .data core_pipe_limit. It was thus authorized to write a negative value to core_pipe_limit sysctl which once stored in core_pipe_limit, leads to the signed int dump_count check against core_pipe_limit never be true. The same can be achieved with core_pipe_limit set to INT_MAX. Any negative write or >= to INT_MAX in core_pipe_limit sysctl would hypothetically allow a user to create very high load on the system by running processes that produces a coredump in case the core_pattern sysctl is configured to pipe core files to user space helper. Memory or PID exhaustion should happen before but it anyway breaks the core_pipe_limit semantic. This commit fixes this by changing core_pipe_limit sysctl's proc_handler to proc_dointvec_minmax and bound checking between SYSCTL_ZERO and SYSCTL_INT_MAX. Fixes: a293980c2e26 ("exec: let do_coredump() limit the number of concurrent dumps to pipes") Signed-off-by: Nicolas Bouchinet Reviewed-by: Jan Kara --- fs/coredump.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/coredump.c b/fs/coredump.c index d48edb37bc35c..9239636b8812a 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -1015,7 +1015,9 @@ static struct ctl_table coredump_sysctls[] = { .data = &core_pipe_limit, .maxlen = sizeof(unsigned int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_INT_MAX, }, { .procname = "core_file_note_size_limit", From patchwork Wed Jan 15 13:22:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Bouchinet X-Patchwork-Id: 13940435 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 834542416AB; Wed, 15 Jan 2025 13:22:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736947349; cv=none; b=Q065JnQn4ZtMeuB7bHXZI92Yj3pczh3t1nplDFIEjC1I1dgg3MNR3xfxBjdY/yjcvUddBkZ9J9uwiG6UTjXLU0Gr/sDb5uG2/2y8EsFUpSswolzW+rtcT77kyOIW5aqnT9lJBl1EtVJnVfECcCgiDEQAJ5IA3eMFIroSYjYbPM8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1736947349; c=relaxed/simple; bh=BamQTXn7tOLezG5eGnx+CGW7UYC2q8u2Or22ixvwEH0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cAHauyA50d+wUfaSTkNaUb6Wov26IJwttvXRO5xfLQKM7jeIVIdVbqDN4H/6ephm41aAoST6Cq5SxLZsvjFJJ87nZogW43UzM7UYoaiqHTy9MrOr5rOt52+T9yoBF1GUiOw13AAWmJBPhz8FSH8NTeqICYncqxc+GMZam1zZRyA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=clip-os.org; spf=pass smtp.mailfrom=clip-os.org; dkim=pass (2048-bit key) header.d=clip-os.org header.i=@clip-os.org header.b=FYsRitfR; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=clip-os.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=clip-os.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=clip-os.org header.i=@clip-os.org header.b="FYsRitfR" Received: by mail.gandi.net (Postfix) with ESMTPSA id 29AA31C000E; Wed, 15 Jan 2025 13:22:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=clip-os.org; s=gm1; t=1736947344; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XUquHLlUQqgvzmZlNIirYYls626vSbWc54eoHijhiZU=; b=FYsRitfRfvRgiIqG8xK9YVZ0P4FaDuZdlSGIOj8KTqk7gKtQRl3lbJo6G9FR1twhUWy7vB cBrO7Bi2qsWCaunu2gLSH1CFHFca8AfNGHEh2jrM4tonbrlyGMd219mPVOUpL6fVHMSbme Aeh8qAqDg65m181wtna/Ne6UvyHu1WtrvurOYD7z1Tc9i+05OdbjtxXFNmeEaoBcYfSKXh m2LdUDLLYbksKOHHqGmsY9NRgKLtryagpkFHyE3x6S0MZkZ9Oj7ZrzcnmC1AiQlCZjWFGq TvOAzSU7s2LSlyM1Hmc7nSWVW+7Hk8xKGqS5E7bKaiaZtfh0uLhC6KadPeYjhw== From: nicolas.bouchinet@clip-os.org To: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Cc: Nicolas Bouchinet , Greg Kroah-Hartman , Jiri Slaby , Alexander Viro , Christian Brauner , Jan Kara , Luis Chamberlain , Kees Cook , Joel Granados , Andrew Morton , Neil Horman , Lin Feng , "Theodore Ts'o" Subject: [PATCH v4 2/2] sysctl: Fix underflow value setting risk in vm_table Date: Wed, 15 Jan 2025 14:22:09 +0100 Message-ID: <20250115132211.25400-3-nicolas.bouchinet@clip-os.org> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250115132211.25400-1-nicolas.bouchinet@clip-os.org> References: <20250115132211.25400-1-nicolas.bouchinet@clip-os.org> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: nicolas.bouchinet@clip-os.org From: Nicolas Bouchinet Commit 3b3376f222e3 ("sysctl.c: fix underflow value setting risk in vm_table") fixes underflow value setting risk in vm_table but misses vdso_enabled sysctl. vdso_enabled sysctl is initialized with .extra1 value as SYSCTL_ZERO to avoid negative value writes but the proc_handler is proc_dointvec and not proc_dointvec_minmax and thus do not uses .extra1 and .extra2. The following command thus works : `# echo -1 > /proc/sys/vm/vdso_enabled` This patch properly sets the proc_handler to proc_dointvec_minmax. In addition to .extra1, .extra2 is set to SYSCTL_ONE. The sysctl is thus bounded between 0 and 1. Fixes: 3b3376f222e3 ("sysctl.c: fix underflow value setting risk in vm_table") Signed-off-by: Nicolas Bouchinet Reviewed-by: Jan Kara --- arch/sh/kernel/vsyscall/vsyscall.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/sh/kernel/vsyscall/vsyscall.c b/arch/sh/kernel/vsyscall/vsyscall.c index d80dd92a483af..1563dcc55fd32 100644 --- a/arch/sh/kernel/vsyscall/vsyscall.c +++ b/arch/sh/kernel/vsyscall/vsyscall.c @@ -37,8 +37,9 @@ static const struct ctl_table vdso_table[] = { .data = &vdso_enabled, .maxlen = sizeof(vdso_enabled), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, }, };