From patchwork Thu Jan 11 05:28:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 10157119 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A289E602B3 for ; Thu, 11 Jan 2018 05:31:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 93AF2286AB for ; Thu, 11 Jan 2018 05:31:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8372F286B4; Thu, 11 Jan 2018 05:31:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 33529286AB for ; Thu, 11 Jan 2018 05:31:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753809AbeAKFbG (ORCPT ); Thu, 11 Jan 2018 00:31:06 -0500 Received: from mail-pf0-f196.google.com ([209.85.192.196]:46304 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751873AbeAKFbB (ORCPT ); Thu, 11 Jan 2018 00:31:01 -0500 Received: by mail-pf0-f196.google.com with SMTP id y5so683109pff.13; Wed, 10 Jan 2018 21:31:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=PIxCoaGrioT9suK5NzZaoghJLSq+yEOQERJVrm088so=; b=vJ6Gn5QFlzlv3bToKhjP06TAI5Yl3DEQtrCdLzKKFFvhcmnCXtRSHKysmDpN+/mNJ9 6MwM+TQ8s6nlmxJ729h8TuRnxjQbKuX7zm4UJsg4Us34HCOs7ZrgFGFJ6PpK+m3/barU HRIRDIsL8P25H5pNuqM9xlQwpBYPswK3N/jMA0lbGTDr/bRqro8l0ofccndIfjb1IAVL LVWqyXxLlS9Q6zMbRc3yTQrlKvu8eiVQYA0D14v3lrbC6bc5+cwzyYu49//SHBCwy9pv sE1yRgu0juCQ6Y2uvh4cQP1Fl+y8DTV/9djW2AXTQE/zDc2HAy6cfxIjG9rSHHtHzCo7 zZaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=PIxCoaGrioT9suK5NzZaoghJLSq+yEOQERJVrm088so=; b=HjyvnMrE+5UUvm6tpZme0c9KEigHKuB5JPehLOPddhx49J/8bq2KrPrTSRhR4a8kJG HtMWpjzorKYTrL2U1BYcxiEzJuJUUXgd2XJsgsGmWYhdhIYI9fuLWmWtPS+TOc39HaWv ld6R6ta/Dm7nlOmWYVHDZbxfTIH5nQ+jqCUy0YUf5mYm9D08QZZJz/DJdR72MOzu3pAp lC/kF0K+Qu2K01wWk+GMcsfbx2A7nsab99NHpcuBfRnVZ+s9emYVQi4UtG37NVWGlAO+ nswqhY4Yslyv6rZD5MjYNzr0XA59Vd5dAkw6BqgNKiYas3Wgb2PXwqWMtFZKxcTE4zPG bLcA== X-Gm-Message-State: AKGB3mJeD5QU2iO7acoJ0faRe5A21t5Tgy5M6QvgcJHaRId6QYg7jzfr yyuDwt9uQoaHkl8QR/oEiWj+ycSCRwA= X-Google-Smtp-Source: ACJfBos2lqL9hLArEtSOwPqdyXBTSPn3AtAGgaf2+RizV70HCEnJdG0TdKUPBlHH3R9idVJ/6r8OZw== X-Received: by 10.159.205.129 with SMTP id v1mr21282721plo.31.1515648660120; Wed, 10 Jan 2018 21:31:00 -0800 (PST) Received: from zzz.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198]) by smtp.gmail.com with ESMTPSA id h63sm32276519pgc.71.2018.01.10.21.30.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Jan 2018 21:30:59 -0800 (PST) From: Eric Biggers To: linux-fsdevel@vger.kernel.org Cc: Alexander Viro , Joe Lawrence , Michael Kerrisk , Willy Tarreau , Mikulas Patocka , "Luis R . Rodriguez" , Kees Cook , linux-kernel@vger.kernel.org, Eric Biggers , stable@vger.kernel.org Subject: [PATCH v2 3/7] pipe: actually allow root to exceed the pipe buffer limits Date: Wed, 10 Jan 2018 21:28:58 -0800 Message-Id: <20180111052902.14409-4-ebiggers3@gmail.com> X-Mailer: git-send-email 2.15.1 In-Reply-To: <20180111052902.14409-1-ebiggers3@gmail.com> References: <20180111052902.14409-1-ebiggers3@gmail.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers pipe-user-pages-hard and pipe-user-pages-soft are only supposed to apply to unprivileged users, as documented in both Documentation/sysctl/fs.txt and the pipe(7) man page. However, the capabilities are actually only checked when increasing a pipe's size using F_SETPIPE_SZ, not when creating a new pipe. Therefore, if pipe-user-pages-hard has been set, the root user can run into it and be unable to create pipes. Similarly, if pipe-user-pages-soft has been set, the root user can run into it and have their pipes limited to 1 page each. Fix this by allowing the privileged override in both cases. Fixes: 759c01142a5d ("pipe: limit the per-user amount of pages allocated in pipes") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers --- fs/pipe.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/fs/pipe.c b/fs/pipe.c index d0dec5e7ef33..847ecc388820 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -613,6 +613,11 @@ static bool too_many_pipe_buffers_hard(unsigned long user_bufs) return pipe_user_pages_hard && user_bufs >= pipe_user_pages_hard; } +static bool is_unprivileged_user(void) +{ + return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); +} + struct pipe_inode_info *alloc_pipe_info(void) { struct pipe_inode_info *pipe; @@ -629,12 +634,12 @@ struct pipe_inode_info *alloc_pipe_info(void) user_bufs = account_pipe_buffers(user, 0, pipe_bufs); - if (too_many_pipe_buffers_soft(user_bufs)) { + if (too_many_pipe_buffers_soft(user_bufs) && is_unprivileged_user()) { user_bufs = account_pipe_buffers(user, pipe_bufs, 1); pipe_bufs = 1; } - if (too_many_pipe_buffers_hard(user_bufs)) + if (too_many_pipe_buffers_hard(user_bufs) && is_unprivileged_user()) goto out_revert_acct; pipe->bufs = kcalloc(pipe_bufs, sizeof(struct pipe_buffer), @@ -1065,7 +1070,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg) if (nr_pages > pipe->buffers && (too_many_pipe_buffers_hard(user_bufs) || too_many_pipe_buffers_soft(user_bufs)) && - !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) { + is_unprivileged_user()) { ret = -EPERM; goto out_revert_acct; }