The patch titled
Subject: pipe: reject F_SETPIPE_SZ with size over UINT_MAX
has been added to the -mm tree. Its filename is
pipe-reject-f_setpipe_sz-with-size-over-uint_max.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/pipe-reject-f_setpipe_sz-with-size-over-uint_max.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/pipe-reject-f_setpipe_sz-with-size-over-uint_max.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Eric Biggers <ebiggers@xxxxxxxxxx>
Subject: pipe: reject F_SETPIPE_SZ with size over UINT_MAX
A pipe's size is represented as an 'unsigned int'. As expected, writing a
value greater than UINT_MAX to /proc/sys/fs/pipe-max-size fails with
EINVAL. However, the F_SETPIPE_SZ fcntl silently truncates such values to
32 bits, rather than failing with EINVAL as expected. (It *does* fail
with EINVAL for values above (1 << 31) but <= UINT_MAX.)
Fix this by moving the check against UINT_MAX into round_pipe_size() which
is called in both cases.
Link: http://lkml.kernel.org/r/20180111052902.14409-6-ebiggers3@xxxxxxxxx
Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>
Acked-by: Joe Lawrence <joe.lawrence@xxxxxxxxxx>
Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: "Luis R . Rodriguez" <mcgrof@xxxxxxxxxx>
Cc: Michael Kerrisk <mtk.manpages@xxxxxxxxx>
Cc: Mikulas Patocka <mpatocka@xxxxxxxxxx>
Cc: Willy Tarreau <w@xxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
fs/pipe.c | 5 ++++-
include/linux/pipe_fs_i.h | 2 +-
kernel/sysctl.c | 3 ---
3 files changed, 5 insertions(+), 5 deletions(-)
diff -puN fs/pipe.c~pipe-reject-f_setpipe_sz-with-size-over-uint_max fs/pipe.c
--- a/fs/pipe.c~pipe-reject-f_setpipe_sz-with-size-over-uint_max
+++ a/fs/pipe.c
@@ -1020,10 +1020,13 @@ const struct file_operations pipefifo_fo
* Currently we rely on the pipe array holding a power-of-2 number
* of pages. Returns 0 on error.
*/
-unsigned int round_pipe_size(unsigned int size)
+unsigned int round_pipe_size(unsigned long size)
{
unsigned long nr_pages;
+ if (size > UINT_MAX)
+ return 0;
+
/* Minimum pipe size, as required by POSIX */
if (size < PAGE_SIZE)
size = PAGE_SIZE;
diff -puN include/linux/pipe_fs_i.h~pipe-reject-f_setpipe_sz-with-size-over-uint_max include/linux/pipe_fs_i.h
--- a/include/linux/pipe_fs_i.h~pipe-reject-f_setpipe_sz-with-size-over-uint_max
+++ a/include/linux/pipe_fs_i.h
@@ -190,6 +190,6 @@ long pipe_fcntl(struct file *, unsigned
struct pipe_inode_info *get_pipe_info(struct file *file);
int create_pipe_files(struct file **, int);
-unsigned int round_pipe_size(unsigned int size);
+unsigned int round_pipe_size(unsigned long size);
#endif
diff -puN kernel/sysctl.c~pipe-reject-f_setpipe_sz-with-size-over-uint_max kernel/sysctl.c
--- a/kernel/sysctl.c~pipe-reject-f_setpipe_sz-with-size-over-uint_max
+++ a/kernel/sysctl.c
@@ -2623,9 +2623,6 @@ static int do_proc_dopipe_max_size_conv(
if (write) {
unsigned int val;
- if (*lvalp > UINT_MAX)
- return -EINVAL;
-
val = round_pipe_size(*lvalp);
if (val == 0)
return -EINVAL;
_
Patches currently in -mm which might be from ebiggers@xxxxxxxxxx are
userfaultfd-convert-to-use-anon_inode_getfd.patch
pipe-sysctl-drop-min-parameter-from-pipe-max-size-converter.patch
pipe-sysctl-remove-pipe_proc_fn.patch
pipe-actually-allow-root-to-exceed-the-pipe-buffer-limits.patch
pipe-fix-off-by-one-error-when-checking-buffer-limits.patch
pipe-reject-f_setpipe_sz-with-size-over-uint_max.patch
pipe-simplify-round_pipe_size.patch
pipe-read-buffer-limits-atomically.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
