Re: [PATCH 4/8] pipe: fix limit checking in pipe_set_size()
From: Michael Kerrisk (man-pages)
Date: Fri Aug 19 2016 - 19:18:00 EST
On 08/20/2016 08:56 AM, Michael Kerrisk (man-pages) wrote:
> Hi Vegard,
>
> On 08/19/2016 08:30 PM, Vegard Nossum wrote:
>> On 08/19/2016 07:25 AM, Michael Kerrisk (man-pages) wrote:
>>> The limit checking in pipe_set_size() (used by fcntl(F_SETPIPE_SZ))
>>> has the following problems:
>> [...]
>>> @@ -1030,6 +1030,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
>>> {
>>> struct pipe_buffer *bufs;
>>> unsigned int size, nr_pages;
>>> + long ret = 0;
>>>
>>> size = round_pipe_size(arg);
>>> nr_pages = size >> PAGE_SHIFT;
>>> @@ -1037,13 +1038,26 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
>>> if (!nr_pages)
>>> return -EINVAL;
>>>
>>> - if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size)
>>> - return -EPERM;
>>> + account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
>>>
>>> - if ((too_many_pipe_buffers_hard(pipe->user) ||
>>> - too_many_pipe_buffers_soft(pipe->user)) &&
>>> - !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
>>> - return -EPERM;
>>> + /*
>>> + * If trying to increase the pipe capacity, check that an
>>> + * unprivileged user is not trying to exceed various limits.
>>> + * (Decreasing the pipe capacity is always permitted, even
>>> + * if the user is currently over a limit.)
>>> + */
>>> + if (nr_pages > pipe->buffers) {
>>> + if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
>>> + ret = -EPERM;
>>> + goto out_revert_acct;
>>> + } else if ((too_many_pipe_buffers_hard(pipe->user) ||
>>> + too_many_pipe_buffers_soft(pipe->user)) &&
>>> + !capable(CAP_SYS_RESOURCE) &&
>>> + !capable(CAP_SYS_ADMIN)) {
>>> + ret = -EPERM;
>>> + goto out_revert_acct;
>>> + }
>>> + }
>>
>> I'm slightly worried about not checking arg/nr_pages before we pass it
>> on to account_pipe_buffers().
>>
>> The potential problem happens if the user passes a very large number
>> which will overflow pipe->user->pipe_bufs.
>>
>> On 32-bit, sizeof(int) == sizeof(long), so if they pass arg = INT_MAX
>> then round_pipe_size() returns INT_MAX. Although it's true that the
>> accounting is done in terms of pages and not bytes, so you'd need on the
>> order of (1 << 13) = 8192 processes hitting the limit at the same time
>> in order to make it overflow, which seems a bit unlikely.
>>
>> (See https://lkml.org/lkml/2016/8/12/215 for another discussion on the
>> limit checking)
>>
>> Is there any reason why we couldn't do the (size > pipe_max_size) check
>> before calling account_pipe_buffers()?
>
> No reason that I can see. Just a little more work to be done in the
> code, I think.
And, just so I make sure we're understanding each other... I assume you
mean changing the code here to something like:
static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
{
struct pipe_buffer *bufs;
unsigned int size, nr_pages;
unsigned long user_bufs;
long ret = 0;
size = round_pipe_size(arg);
nr_pages = size >> PAGE_SHIFT;
if (!nr_pages)
return -EINVAL;
/*
* If trying to increase the pipe capacity, check that an
* unprivileged user is not trying to exceed various limits
* (soft limit check here, hard limit check just below).
* Decreasing the pipe capacity is always permitted, even
* if the user is currently over a limit.
*/
if (nr_pages > pipe->buffers &&
size > pipe_max_size && !capable(CAP_SYS_RESOURCE))
return -EPERM;
user_bufs = account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
if (nr_pages > pipe->buffers &&
too_many_pipe_buffers_hard(user_bufs ||
too_many_pipe_buffers_soft(user_bufs)) &&
!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
ret = -EPERM;
goto out_revert_acct;
}
Right?
Thanks,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/