From patchwork Thu Jan 11 05:29:02 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 10157115 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 54F83602B3 for ; Thu, 11 Jan 2018 05:31:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4863A286AB for ; Thu, 11 Jan 2018 05:31:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3AB28286B4; Thu, 11 Jan 2018 05:31:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C60A1286AB for ; Thu, 11 Jan 2018 05:31:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753948AbeAKFbH (ORCPT ); Thu, 11 Jan 2018 00:31:07 -0500 Received: from mail-pf0-f194.google.com ([209.85.192.194]:44949 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751852AbeAKFbF (ORCPT ); Thu, 11 Jan 2018 00:31:05 -0500 Received: by mail-pf0-f194.google.com with SMTP id m26so681393pfj.11; Wed, 10 Jan 2018 21:31:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=6R/pCb0oCXnqtinU0QqX2gPPbLSKCLZuHPEYmIpnM/A=; b=RVCZUhP0jbp18g0bOHB/BbntghunX1r799DhFrYA+HyLQZUvWPvhrrXf7Xq2ZaFtKT bgk+omtxCpkTqRNz+fk2uZR/EXqubT9VwRmScwhyaLg1oropR5WVJk5WCYaDqEnRjr54 7/lRkFlwFNWzjtSkV75Cn4cxLgxWmC5glKf8uc/CpocY6RAmevYXieciRdHn9PVy5FFh YK203p0+hNp6ncmH34O06XJrKwQygDJPLFxKhzpyB2E8SFbzoBvUassJg2sFgUARSLSc Cv0wYwCV+tcEPk2y9bN9vHKyfjNc0HKS4p2iDledp/2kFkDJqj1JH/6TGDew7IM591BL yhNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=6R/pCb0oCXnqtinU0QqX2gPPbLSKCLZuHPEYmIpnM/A=; b=nGY3m76ftGpRWl/lJX2spcd/awYFTnkvGg4Irz54LwVKVSXF5Gvo1Xt5QL6z6uFVlj HwkqAVzQOOdxWL7wwxectYSfX1okWNvTzk+BQVbF3Og+PpDy31xDNyvcrGabW1TVSsvp a2in8Dt2RP/XlibffPhArTBoPOiJGfChqmqCCiCMutS0dru6iFT4ke/rGIUh7997ucwA Z/6Y0Q5Q76FSrgj4yYOmSHeVs85ZoIusgAz/X30WKQrpPYaw16RdVCpv25QPI8I37YbG rOmAv5F+oimSdynQSAMvd+jpKS1gnxSa4HQUAJL61AyXHXcdlzVJ0fnCesCK8ZeVahee jCuw== X-Gm-Message-State: AKwxytchXvPtxtp3vlpuubkAWhJKIJky0YJVvb8GzNk2JZO8JmQ+aIS4 t/GcN8rpM7hAH2QyzGqoGUtbGhZODv4= X-Google-Smtp-Source: ACJfBovGMVmkYJdPCZSFGx5aXql7PgPHCyM8n1eEIw21oblYDBk0nJ2p1K9lJ7TbmRp64szOSVJKyw== X-Received: by 10.84.248.139 with SMTP id q11mr2216952pll.236.1515648664339; Wed, 10 Jan 2018 21:31:04 -0800 (PST) Received: from zzz.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198]) by smtp.gmail.com with ESMTPSA id h63sm32276519pgc.71.2018.01.10.21.31.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Jan 2018 21:31:03 -0800 (PST) From: Eric Biggers To: linux-fsdevel@vger.kernel.org Cc: Alexander Viro , Joe Lawrence , Michael Kerrisk , Willy Tarreau , Mikulas Patocka , "Luis R . Rodriguez" , Kees Cook , linux-kernel@vger.kernel.org, Eric Biggers Subject: [PATCH v2 7/7] pipe: read buffer limits atomically Date: Wed, 10 Jan 2018 21:29:02 -0800 Message-Id: <20180111052902.14409-8-ebiggers3@gmail.com> X-Mailer: git-send-email 2.15.1 In-Reply-To: <20180111052902.14409-1-ebiggers3@gmail.com> References: <20180111052902.14409-1-ebiggers3@gmail.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers The pipe buffer limits are accessed without any locking, and may be changed at any time by the sysctl handlers. In theory this could cause problems for expressions like the following: pipe_user_pages_hard && user_bufs > pipe_user_pages_hard ... since the assembly code might reference the 'pipe_user_pages_hard' memory location multiple times, and if the admin removes the limit by setting it to 0, there is a very brief window where processes could incorrectly observe the limit to be exceeded. Fix this by loading the limits with READ_ONCE() prior to use. Acked-by: Kees Cook Signed-off-by: Eric Biggers --- fs/pipe.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/fs/pipe.c b/fs/pipe.c index 458f866caf53..deeb303aa4ce 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -605,12 +605,16 @@ static unsigned long account_pipe_buffers(struct user_struct *user, static bool too_many_pipe_buffers_soft(unsigned long user_bufs) { - return pipe_user_pages_soft && user_bufs > pipe_user_pages_soft; + unsigned long soft_limit = READ_ONCE(pipe_user_pages_soft); + + return soft_limit && user_bufs > soft_limit; } static bool too_many_pipe_buffers_hard(unsigned long user_bufs) { - return pipe_user_pages_hard && user_bufs > pipe_user_pages_hard; + unsigned long hard_limit = READ_ONCE(pipe_user_pages_hard); + + return hard_limit && user_bufs > hard_limit; } static bool is_unprivileged_user(void) @@ -624,13 +628,14 @@ struct pipe_inode_info *alloc_pipe_info(void) unsigned long pipe_bufs = PIPE_DEF_BUFFERS; struct user_struct *user = get_current_user(); unsigned long user_bufs; + unsigned int max_size = READ_ONCE(pipe_max_size); pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL_ACCOUNT); if (pipe == NULL) goto out_free_uid; - if (pipe_bufs * PAGE_SIZE > pipe_max_size && !capable(CAP_SYS_RESOURCE)) - pipe_bufs = pipe_max_size >> PAGE_SHIFT; + if (pipe_bufs * PAGE_SIZE > max_size && !capable(CAP_SYS_RESOURCE)) + pipe_bufs = max_size >> PAGE_SHIFT; user_bufs = account_pipe_buffers(user, 0, pipe_bufs);