From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2789C47247 for ; Tue, 5 May 2020 06:34:46 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 625C5206E6 for ; Tue, 5 May 2020 06:34:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="QdoHgdZF" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 625C5206E6 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linuxfoundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id D5FB88E009A; Tue, 5 May 2020 02:34:45 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D0F3E8E0058; Tue, 5 May 2020 02:34:45 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C241C8E009A; Tue, 5 May 2020 02:34:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0184.hostedemail.com [216.40.44.184]) by kanga.kvack.org (Postfix) with ESMTP id A84E48E0058 for ; Tue, 5 May 2020 02:34:45 -0400 (EDT) Received: from smtpin28.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 5D2891691B for ; Tue, 5 May 2020 06:34:45 +0000 (UTC) X-FDA: 76781702130.28.grip77_469498b91b215 X-HE-Tag: grip77_469498b91b215 X-Filterd-Recvd-Size: 4000 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf26.hostedemail.com (Postfix) with ESMTP for ; Tue, 5 May 2020 06:34:44 +0000 (UTC) Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A1000206CC; Tue, 5 May 2020 06:34:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588660484; bh=EI2muG+asOrX7U2AolxDsDkX4CxBCxnvK0ZMzAVDPkY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=QdoHgdZF/l07H77l97vo9if8+kenXB2DfksMgw4UDb33B73x4x2EAIv8KgviOz1Bg 4vQONFdBYgzx+WY+P/Tlxr5Qkpneac17nfvyIf0wG1N0s0ChfpxmIpb/h4Iy9zHkaY 2dx7bO1DFTi4prxw6mDDvctE3BVqkhPgMykUwm2U= Date: Tue, 5 May 2020 08:34:41 +0200 From: Greg KH To: Luis Chamberlain Cc: Kees Cook , Christoph Hellwig , Iurii Zaikin , Alexey Dobriyan , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] sysctl: Make sure proc handlers can't expose heap memory Message-ID: <20200505063441.GA3877399@kroah.com> References: <202005041205.C7AF4AF@keescook> <20200504195937.GS11244@42.do-not-panic.com> <202005041329.169799C65D@keescook> <20200504215903.GT11244@42.do-not-panic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200504215903.GT11244@42.do-not-panic.com> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, May 04, 2020 at 09:59:03PM +0000, Luis Chamberlain wrote: > On Mon, May 04, 2020 at 01:32:07PM -0700, Kees Cook wrote: > > On Mon, May 04, 2020 at 07:59:37PM +0000, Luis Chamberlain wrote: > > > On Mon, May 04, 2020 at 12:08:55PM -0700, Kees Cook wrote: > > > > Just as a precaution, make sure that proc handlers don't accidentally > > > > grow "count" beyond the allocated kbuf size. > > > > > > > > Signed-off-by: Kees Cook > > > > --- > > > > This applies to hch's sysctl cleanup tree... > > > > --- > > > > fs/proc/proc_sysctl.c | 3 +++ > > > > 1 file changed, 3 insertions(+) > > > > > > > > diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c > > > > index 15030784566c..535ab26473af 100644 > > > > --- a/fs/proc/proc_sysctl.c > > > > +++ b/fs/proc/proc_sysctl.c > > > > @@ -546,6 +546,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf, > > > > struct inode *inode = file_inode(filp); > > > > struct ctl_table_header *head = grab_header(inode); > > > > struct ctl_table *table = PROC_I(inode)->sysctl_entry; > > > > + size_t count_max = count; > > > > void *kbuf; > > > > ssize_t error; > > > > > > > > @@ -590,6 +591,8 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf, > > > > > > > > if (!write) { > > > > error = -EFAULT; > > > > + if (WARN_ON(count > count_max)) > > > > + count = count_max; > > > > > > That would crash a system with panic-on-warn. I don't think we want that? > > > > Eh? None of the handlers should be making this mistake currently and > > it's not a mistake that can be controlled from userspace. WARN() is > > absolutely what's wanted here: report an impossible situation (and > > handle it gracefully for the bulk of users that don't have > > panic_on_warn set). > > Alrighty, Greg are you OK with this type of WARN_ON()? You recently > expressed concerns over its use due to panic-on-warn on another patch. We should never call WARN() on any path that a user can trigger. If it is just a "the developer called this api in a foolish way" then we could use a WARN_ON() to have them realize their mistake, but in my personal experience, foolish developers don't even notice that kind of mistake :( thanks, greg k-h