From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.5 required=3.0 tests=INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E568C47258 for ; Tue, 5 May 2020 22:03:33 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 031B620575 for ; Tue, 5 May 2020 22:03:32 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 031B620575 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 8D1328E0005; Tue, 5 May 2020 18:03:31 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 880F18E0003; Tue, 5 May 2020 18:03:31 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 795998E0005; Tue, 5 May 2020 18:03:31 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0214.hostedemail.com [216.40.44.214]) by kanga.kvack.org (Postfix) with ESMTP id 5F62D8E0003 for ; Tue, 5 May 2020 18:03:31 -0400 (EDT) Received: from smtpin24.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 1EADC180AD806 for ; Tue, 5 May 2020 22:03:31 +0000 (UTC) X-FDA: 76784042622.24.hill37_1ea825937641e X-HE-Tag: hill37_1ea825937641e X-Filterd-Recvd-Size: 5927 Received: from mail-pj1-f65.google.com (mail-pj1-f65.google.com [209.85.216.65]) by imf09.hostedemail.com (Postfix) with ESMTP for ; Tue, 5 May 2020 22:03:30 +0000 (UTC) Received: by mail-pj1-f65.google.com with SMTP id q24so240144pjd.1 for ; Tue, 05 May 2020 15:03:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=Lpi8MZJNSPhbvdnHwiB6LcQYNoz5iZcaJ91eFfyKq3I=; b=i1ob47t5E3JlQSdryDt6r2JKTCAeEW3f6gwVXN2cEDngmx+VzXZgnTi4oFR6UXmfwF 6ZEhuGGC2I33SnwujEHX7LO1lDZwXkc5qgbClYX3KOHlK77+B1Yp8847SzXz2WFrnnSc k0IFQ1oIXoznuSdO8W6E426vf8bPGIbZdpBagPOVvz1qVEtVisRUkfUOVnqcvMS4i4Si 4a5quVpO+SHrKAWQ8ZwuMU3XWRjd1y5jBz4rAK7KJq0C09amTB1UfO+d3WVYmD6fT37T eHWql0rKAwc0pdripnYYbC64LDerze829Hrfb/47DwxSd/EcjLd7QeU8Zz6kR+XdPeNb Rfkg== X-Gm-Message-State: AGi0PubiOn21ZE7ogxO+jNJLBjPhJGuG9Js6VmmOxnmglG9CtipM/3CT pVSlpL51gl/seOLtajyHgBg= X-Google-Smtp-Source: APiQypIlQ7vp+PigyBUJjXs2IzjQDASyZB2j0a3df8Yc3dcT5dEuIN8kzQWJl3UYEKmIcOD1rDvh5g== X-Received: by 2002:a17:90a:3ace:: with SMTP id b72mr5651418pjc.48.1588716209523; Tue, 05 May 2020 15:03:29 -0700 (PDT) Received: from 42.do-not-panic.com (42.do-not-panic.com. [157.230.128.187]) by smtp.gmail.com with ESMTPSA id b73sm9201pfb.52.2020.05.05.15.03.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 May 2020 15:03:28 -0700 (PDT) Received: by 42.do-not-panic.com (Postfix, from userid 1000) id 5616C403EA; Tue, 5 May 2020 22:03:27 +0000 (UTC) Date: Tue, 5 May 2020 22:03:27 +0000 From: Luis Chamberlain To: Kees Cook Cc: Greg KH , Christoph Hellwig , Iurii Zaikin , Alexey Dobriyan , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] sysctl: Make sure proc handlers can't expose heap memory Message-ID: <20200505220327.GV11244@42.do-not-panic.com> References: <202005041205.C7AF4AF@keescook> <20200504195937.GS11244@42.do-not-panic.com> <202005041329.169799C65D@keescook> <20200504215903.GT11244@42.do-not-panic.com> <20200505063441.GA3877399@kroah.com> <202005051339.5F1979C4DF@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202005051339.5F1979C4DF@keescook> User-Agent: Mutt/1.10.1 (2018-07-13) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, May 05, 2020 at 01:41:44PM -0700, Kees Cook wrote: > On Tue, May 05, 2020 at 08:34:41AM +0200, Greg KH wrote: > > On Mon, May 04, 2020 at 09:59:03PM +0000, Luis Chamberlain wrote: > > > On Mon, May 04, 2020 at 01:32:07PM -0700, Kees Cook wrote: > > > > On Mon, May 04, 2020 at 07:59:37PM +0000, Luis Chamberlain wrote: > > > > > On Mon, May 04, 2020 at 12:08:55PM -0700, Kees Cook wrote: > > > > > > Just as a precaution, make sure that proc handlers don't accidentally > > > > > > grow "count" beyond the allocated kbuf size. > > > > > > > > > > > > Signed-off-by: Kees Cook > > > > > > --- > > > > > > This applies to hch's sysctl cleanup tree... > > > > > > --- > > > > > > fs/proc/proc_sysctl.c | 3 +++ > > > > > > 1 file changed, 3 insertions(+) > > > > > > > > > > > > diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c > > > > > > index 15030784566c..535ab26473af 100644 > > > > > > --- a/fs/proc/proc_sysctl.c > > > > > > +++ b/fs/proc/proc_sysctl.c > > > > > > @@ -546,6 +546,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf, > > > > > > struct inode *inode = file_inode(filp); > > > > > > struct ctl_table_header *head = grab_header(inode); > > > > > > struct ctl_table *table = PROC_I(inode)->sysctl_entry; > > > > > > + size_t count_max = count; > > > > > > void *kbuf; > > > > > > ssize_t error; > > > > > > > > > > > > @@ -590,6 +591,8 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf, > > > > > > > > > > > > if (!write) { > > > > > > error = -EFAULT; > > > > > > + if (WARN_ON(count > count_max)) > > > > > > + count = count_max; > > > > > > > > > > That would crash a system with panic-on-warn. I don't think we want that? > > > > > > > > Eh? None of the handlers should be making this mistake currently and > > > > it's not a mistake that can be controlled from userspace. WARN() is > > > > absolutely what's wanted here: report an impossible situation (and > > > > handle it gracefully for the bulk of users that don't have > > > > panic_on_warn set). > > > > > > Alrighty, Greg are you OK with this type of WARN_ON()? You recently > > > expressed concerns over its use due to panic-on-warn on another patch. > > > > We should never call WARN() on any path that a user can trigger. > > > > If it is just a "the developer called this api in a foolish way" then we > > could use a WARN_ON() to have them realize their mistake, but in my > > personal experience, foolish developers don't even notice that kind of > > mistake :( > > Right -- while it'd be nice if the developer noticed it, it is _usually_ > an unsuspecting end user (or fuzzer), in which case we absolutely want a > WARN (and not a BUG![1]) and have the situations handled gracefully, so > it can be reported and fixed. I've been using WARN*() for this exact purpose before, so I am as surprised as you are bout these concerns. However if we have folks shipping with panic-on-warn this would be rather detrimental to our goals. Greg, are you aware of folks shipping with panic-on-warn on some products? Luis