On Sun, Jan 7, 2018 at 9:35 PM, Eric Biggers <ebiggers3@xxxxxxxxx> wrote: > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > A pipe's size is represented as an 'unsigned int'. As expected, writing > a value greater than UINT_MAX to /proc/sys/fs/pipe-max-size fails with > EINVAL. However, the F_SETPIPE_SZ fcntl silently truncates such values > to 32 bits, rather than failing with EINVAL as expected. (It *does* > fail with EINVAL for values above (1 << 31) but <= UINT_MAX.) > > Fix this by moving the check against UINT_MAX into round_pipe_size() > which is called in both cases. > > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx> Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> -Kees > --- > fs/pipe.c | 5 ++++- > include/linux/pipe_fs_i.h | 2 +- > kernel/sysctl.c | 3 --- > 3 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/fs/pipe.c b/fs/pipe.c > index 9f20e7128578..f1ee1e599495 100644 > --- a/fs/pipe.c > +++ b/fs/pipe.c > @@ -1020,10 +1020,13 @@ const struct file_operations pipefifo_fops = { > * Currently we rely on the pipe array holding a power-of-2 number > * of pages. Returns 0 on error. > */ > -unsigned int round_pipe_size(unsigned int size) > +unsigned int round_pipe_size(unsigned long size) > { > unsigned long nr_pages; > > + if (size > UINT_MAX) > + return 0; > + > /* Minimum pipe size, as required by POSIX */ > if (size < PAGE_SIZE) > size = PAGE_SIZE; > diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h > index 5028bd4b2c96..5a3bb3b7c9ad 100644 > --- a/include/linux/pipe_fs_i.h > +++ b/include/linux/pipe_fs_i.h > @@ -190,6 +190,6 @@ long pipe_fcntl(struct file *, unsigned int, unsigned long arg); > struct pipe_inode_info *get_pipe_info(struct file *file); > > int create_pipe_files(struct file **, int); > -unsigned int round_pipe_size(unsigned int size); > +unsigned int round_pipe_size(unsigned long size); > > #endif > diff --git a/kernel/sysctl.c b/kernel/sysctl.c > index 33e2f0f02000..31fe10fd745f 100644 > --- a/kernel/sysctl.c > +++ b/kernel/sysctl.c > @@ -2630,9 +2630,6 @@ static int do_proc_dopipe_max_size_conv(unsigned long *lvalp, > if (write) { > unsigned int val; > > - if (*lvalp > UINT_MAX) > - return -EINVAL; > - > val = round_pipe_size(*lvalp); > if (val == 0) > return -EINVAL; > -- > 2.15.1 > -- Kees Cook Pixel Security