Re: [PATCH 4/8] pipe: fix limit checking in pipe_set_size()

From: Michael Kerrisk (man-pages)
Date: Fri Aug 19 2016 - 16:57:05 EST

Next message: Kees Cook: "Re: usercopy: kernel memory exposure attempt detected"
Previous message: Andi Kleen: "Re: [RFC PATCH v8 1/9] Restartable sequences system call"
In reply to: Vegard Nossum: "Re: [PATCH 4/8] pipe: fix limit checking in pipe_set_size()"
Next in thread: Michael Kerrisk (man-pages): "Re: [PATCH 4/8] pipe: fix limit checking in pipe_set_size()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Vegard,

On 08/19/2016 08:30 PM, Vegard Nossum wrote:
> On 08/19/2016 07:25 AM, Michael Kerrisk (man-pages) wrote:
>> The limit checking in pipe_set_size() (used by fcntl(F_SETPIPE_SZ))
>> has the following problems:
> [...]
>> @@ -1030,6 +1030,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
>> {
>> struct pipe_buffer *bufs;
>> unsigned int size, nr_pages;
>> + long ret = 0;
>>
>> size = round_pipe_size(arg);
>> nr_pages = size >> PAGE_SHIFT;
>> @@ -1037,13 +1038,26 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
>> if (!nr_pages)
>> return -EINVAL;
>>
>> - if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size)
>> - return -EPERM;
>> + account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
>>
>> - if ((too_many_pipe_buffers_hard(pipe->user) ||
>> - too_many_pipe_buffers_soft(pipe->user)) &&
>> - !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
>> - return -EPERM;
>> + /*
>> + * If trying to increase the pipe capacity, check that an
>> + * unprivileged user is not trying to exceed various limits.
>> + * (Decreasing the pipe capacity is always permitted, even
>> + * if the user is currently over a limit.)
>> + */
>> + if (nr_pages > pipe->buffers) {
>> + if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
>> + ret = -EPERM;
>> + goto out_revert_acct;
>> + } else if ((too_many_pipe_buffers_hard(pipe->user) ||
>> + too_many_pipe_buffers_soft(pipe->user)) &&
>> + !capable(CAP_SYS_RESOURCE) &&
>> + !capable(CAP_SYS_ADMIN)) {
>> + ret = -EPERM;
>> + goto out_revert_acct;
>> + }
>> + }
>
> I'm slightly worried about not checking arg/nr_pages before we pass it
> on to account_pipe_buffers().
>
> The potential problem happens if the user passes a very large number
> which will overflow pipe->user->pipe_bufs.
>
> On 32-bit, sizeof(int) == sizeof(long), so if they pass arg = INT_MAX
> then round_pipe_size() returns INT_MAX. Although it's true that the
> accounting is done in terms of pages and not bytes, so you'd need on the
> order of (1 << 13) = 8192 processes hitting the limit at the same time
> in order to make it overflow, which seems a bit unlikely.
>
> (See https://lkml.org/lkml/2016/8/12/215 for another discussion on the
> limit checking)
>
> Is there any reason why we couldn't do the (size > pipe_max_size) check
> before calling account_pipe_buffers()?

No reason that I can see. Just a little more work to be done in the
code, I think.

Cheers,

Michael

--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

Next message: Kees Cook: "Re: usercopy: kernel memory exposure attempt detected"
Previous message: Andi Kleen: "Re: [RFC PATCH v8 1/9] Restartable sequences system call"
In reply to: Vegard Nossum: "Re: [PATCH 4/8] pipe: fix limit checking in pipe_set_size()"
Next in thread: Michael Kerrisk (man-pages): "Re: [PATCH 4/8] pipe: fix limit checking in pipe_set_size()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]