From patchwork Wed Mar 20 22:28:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Chamberlain X-Patchwork-Id: 10862663 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 223DB1515 for ; Wed, 20 Mar 2019 22:29:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0255229E50 for ; Wed, 20 Mar 2019 22:29:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E443929ED8; Wed, 20 Mar 2019 22:29:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B262029E50 for ; Wed, 20 Mar 2019 22:29:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727757AbfCTW3G (ORCPT ); Wed, 20 Mar 2019 18:29:06 -0400 Received: from mail-yw1-f67.google.com ([209.85.161.67]:41487 "EHLO mail-yw1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727564AbfCTW3F (ORCPT ); Wed, 20 Mar 2019 18:29:05 -0400 Received: by mail-yw1-f67.google.com with SMTP id q128so3330609ywg.8; Wed, 20 Mar 2019 15:29:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=DYaa3sSap9EzNyPtF8ZXKlbzOxq4cInzBuykp6Ou0k8=; b=D3cUyCL5f3Uq6Pwh6F8E7U4Y+laz4LNCpxp4+99ssEfXQITBwb1pFomrd1XEMlEyy4 eidjmU31Ses8TOzr40HRTfBLKp9Ozf2uAXoiOF/ZZa6k/j4HgahqF66J9QtQLxSQBX/E 6IguPBSvxmZyTIqrC1C/SREpHhsInaRzu7shmK8JUq21w+1LDZaNNYG0acsiDnMJ/DnE qMv/SHyWqWq/2z3of0Wbnqlkd4CDUccMxaoQwi7iw6OLfsNAPEACuwBZxg7GvWlTMJtF 2chj1Sx8M820E/3dbYGcJ8PvpK9T3tx4Onup20B/HVqPM3pcM2az2nZIndMVK3EQCwdJ tCbA== X-Gm-Message-State: APjAAAXyh4AxnmmLWOIWk+qKZ8tkUpIrYWTN4c3rxQy31Qm7bVIVnqYu 7hNmezsJf65SL2XW4ZRs6AA= X-Google-Smtp-Source: APXvYqxfpambTscKeen7xjavbFX57ULo+udBKXVmK3Us74m4heYIPhQWwo6aDaGNPVr52HGayqMZGQ== X-Received: by 2002:a5b:51:: with SMTP id e17mr386715ybp.64.1553120943931; Wed, 20 Mar 2019 15:29:03 -0700 (PDT) Received: from 42.do-not-panic.com (42.do-not-panic.com. [157.230.128.187]) by smtp.gmail.com with ESMTPSA id g1sm1052184ywf.0.2019.03.20.15.29.01 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 20 Mar 2019 15:29:02 -0700 (PDT) Received: by 42.do-not-panic.com (sSMTP sendmail emulation); Wed, 20 Mar 2019 22:29:00 +0000 From: Luis Chamberlain To: akpm@linux-foundation.org, keescook@chromium.org Cc: sandeen@redhat.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Luis Chamberlain Subject: [PATCH 6/6] sysctl: Fix proc_do_large_bitmap for large input buffers Date: Wed, 20 Mar 2019 22:28:31 +0000 Message-Id: <20190320222831.8243-7-mcgrof@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190320222831.8243-1-mcgrof@kernel.org> References: <20190320222831.8243-1-mcgrof@kernel.org> MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Sandeen Today, proc_do_large_bitmap() truncates a large write input buffer to PAGE_SIZE - 1, which may result in misparsed numbers at the (truncated) end of the buffer. Further, it fails to notify the caller that the buffer was truncated, so it doesn't get called iteratively to finish the entire input buffer. Tell the caller if there's more work to do by adding the skipped amount back to left/*lenp before returning. To fix the misparsing, reset the position if we have completely consumed a truncated buffer (or if just one char is left, which may be a "-" in a range), and ask the caller to come back for more. Signed-off-by: Eric Sandeen Acked-by: Kees Cook Signed-off-by: Luis Chamberlain --- kernel/sysctl.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/kernel/sysctl.c b/kernel/sysctl.c index e1a8d785b839..ddc6c717355d 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -3159,9 +3159,13 @@ int proc_do_large_bitmap(struct ctl_table *table, int write, if (write) { char *kbuf, *p; + size_t skipped = 0; - if (left > PAGE_SIZE - 1) + if (left > PAGE_SIZE - 1) { left = PAGE_SIZE - 1; + /* How much of the buffer we'll skip this pass */ + skipped = *lenp - left; + } p = kbuf = memdup_user_nul(buffer, left); if (IS_ERR(kbuf)) @@ -3178,9 +3182,22 @@ int proc_do_large_bitmap(struct ctl_table *table, int write, while (!err && left) { unsigned long val_a, val_b; bool neg; + size_t saved_left; + /* In case we stop parsing mid-number, we can reset */ + saved_left = left; err = proc_get_long(&p, &left, &val_a, &neg, tr_a, sizeof(tr_a), &c); + /* + * If we consumed the entirety of a truncated buffer or + * only one char is left (may be a "-"), then stop here, + * reset, & come back for more. + */ + if ((left <= 1) && skipped) { + left = saved_left; + break; + } + if (err) break; if (val_a >= bitmap_len || neg) { @@ -3198,6 +3215,15 @@ int proc_do_large_bitmap(struct ctl_table *table, int write, err = proc_get_long(&p, &left, &val_b, &neg, tr_b, sizeof(tr_b), &c); + /* + * If we consumed all of a truncated buffer or + * then stop here, reset, & come back for more. + */ + if (!left && skipped) { + left = saved_left; + break; + } + if (err) break; if (val_b >= bitmap_len || neg || @@ -3216,6 +3242,7 @@ int proc_do_large_bitmap(struct ctl_table *table, int write, proc_skip_char(&p, &left, '\n'); } kfree(kbuf); + left += skipped; } else { unsigned long bit_a, bit_b = 0;