From patchwork Mon Jan 8 05:35:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 10149049 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 348BC601BE for ; Mon, 8 Jan 2018 05:39:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 27A02287A6 for ; Mon, 8 Jan 2018 05:39:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1C2CC287BE; Mon, 8 Jan 2018 05:39:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C95EC287A6 for ; Mon, 8 Jan 2018 05:39:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755544AbeAHFi5 (ORCPT ); Mon, 8 Jan 2018 00:38:57 -0500 Received: from mail-pf0-f193.google.com ([209.85.192.193]:37075 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754579AbeAHFix (ORCPT ); Mon, 8 Jan 2018 00:38:53 -0500 Received: by mail-pf0-f193.google.com with SMTP id n6so5258536pfa.4; Sun, 07 Jan 2018 21:38:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=PIxCoaGrioT9suK5NzZaoghJLSq+yEOQERJVrm088so=; b=KKPrJfzuSARnzJ/9mBfWPBA58NUifaSuGvr2g5Fgjun5np70vo/izy/UAVbInfFkoq LtmThWrWChsLFDK7e8PzhLPucUeovgwvYHC+9XZnGgIdAVvTE+bGztkrHXDSJqi6R6Jf JKUc7P5Paf5DstbUW+WCJxTQm3CMJBV6PGejGrluZ9cuh1kwI5b9Px4/MtS/j1R55o6+ W/VR5PPLZc/mkm9Oyn5tK3DItHd5p7IFK7xFLZg9Of0uWws+Bay6taR/C1CFHwA2Kvgu 0xIKanU9cUhQnQ3WEqy+0UhwEp7ywd81oozU+QXm0O5hK6hanupUtsq/V2EV6TDJa0+h up/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=PIxCoaGrioT9suK5NzZaoghJLSq+yEOQERJVrm088so=; b=eOWWpLn/sYcm0ngqo4YvGBMi4QxrPSpKC+LNjavLx0MfD7SgBuKGmjvUlphdKhznAM rTRQr5uZlJv0y5CB3rge9X0ROzu3x43qVC4sWNEU8VPRS77sd1/0Vs+qjy4CDUCCYyo6 /qOL1n6HXAwUF9M+r030A/4j27wvAFyCCAFujeV80mwBV0yQkkOIxAnV9HurG9inKRcE t70ADGrgjsb9njPMnwUbUh5KGMFSiDq/xaV3TTg0hAkV/8clPvUA3OR+ExM/jaE2cx23 Po69TZ3Vbm7aAavEFJSRRL2Cs8NFteZH40lbU+fxvMVMhOYdp0eYr3K1BgtRa9dXTJfH +8Xw== X-Gm-Message-State: AKGB3mKrjVhGpW9ACbJgGzdlwfJLua4nUAtQuDxNorewiSqWF/OtRgIV 4KEAtHPZ+Xk9aVFEViVBCyYQrrp7 X-Google-Smtp-Source: ACJfBouc48mk3eUyY8ai0UgTIjOMPhY6n7gNPXJU2tGQw666pKxDyVDtEfwqOmwYs//3+Zv3sd97Pg== X-Received: by 10.99.51.77 with SMTP id z74mr8642629pgz.324.1515389932690; Sun, 07 Jan 2018 21:38:52 -0800 (PST) Received: from zzz.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198]) by smtp.gmail.com with ESMTPSA id w84sm26611743pfk.16.2018.01.07.21.38.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 07 Jan 2018 21:38:52 -0800 (PST) From: Eric Biggers To: linux-fsdevel@vger.kernel.org Cc: Alexander Viro , Joe Lawrence , Michael Kerrisk , Willy Tarreau , Mikulas Patocka , "Luis R . Rodriguez" , Kees Cook , linux-kernel@vger.kernel.org, Eric Biggers , stable@vger.kernel.org Subject: [PATCH 3/7] pipe: actually allow root to exceed the pipe buffer limits Date: Sun, 7 Jan 2018 21:35:38 -0800 Message-Id: <20180108053542.6472-4-ebiggers3@gmail.com> X-Mailer: git-send-email 2.15.1 In-Reply-To: <20180108053542.6472-1-ebiggers3@gmail.com> References: <20180108053542.6472-1-ebiggers3@gmail.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers pipe-user-pages-hard and pipe-user-pages-soft are only supposed to apply to unprivileged users, as documented in both Documentation/sysctl/fs.txt and the pipe(7) man page. However, the capabilities are actually only checked when increasing a pipe's size using F_SETPIPE_SZ, not when creating a new pipe. Therefore, if pipe-user-pages-hard has been set, the root user can run into it and be unable to create pipes. Similarly, if pipe-user-pages-soft has been set, the root user can run into it and have their pipes limited to 1 page each. Fix this by allowing the privileged override in both cases. Fixes: 759c01142a5d ("pipe: limit the per-user amount of pages allocated in pipes") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers --- fs/pipe.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/fs/pipe.c b/fs/pipe.c index d0dec5e7ef33..847ecc388820 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -613,6 +613,11 @@ static bool too_many_pipe_buffers_hard(unsigned long user_bufs) return pipe_user_pages_hard && user_bufs >= pipe_user_pages_hard; } +static bool is_unprivileged_user(void) +{ + return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); +} + struct pipe_inode_info *alloc_pipe_info(void) { struct pipe_inode_info *pipe; @@ -629,12 +634,12 @@ struct pipe_inode_info *alloc_pipe_info(void) user_bufs = account_pipe_buffers(user, 0, pipe_bufs); - if (too_many_pipe_buffers_soft(user_bufs)) { + if (too_many_pipe_buffers_soft(user_bufs) && is_unprivileged_user()) { user_bufs = account_pipe_buffers(user, pipe_bufs, 1); pipe_bufs = 1; } - if (too_many_pipe_buffers_hard(user_bufs)) + if (too_many_pipe_buffers_hard(user_bufs) && is_unprivileged_user()) goto out_revert_acct; pipe->bufs = kcalloc(pipe_bufs, sizeof(struct pipe_buffer), @@ -1065,7 +1070,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg) if (nr_pages > pipe->buffers && (too_many_pipe_buffers_hard(user_bufs) || too_many_pipe_buffers_soft(user_bufs)) && - !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) { + is_unprivileged_user()) { ret = -EPERM; goto out_revert_acct; }