From: Vegard Nossum <vegard.nossum-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
To: "Michael Kerrisk (man-pages)"
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Cc: Willy Tarreau <w@1wt.eu>,
socketpair-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
Tetsuo Handa
<penguin-kernel-JPay3/Yim36HaxMnTkn67Xf5DAMn2ifp@public.gmane.org>,
Jens Axboe <axboe-b10kYP2dOMg@public.gmane.org>,
Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>,
stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH 2/2] pipe: make pipe user buffer limit checks more precise
Date: Wed, 17 Aug 2016 00:00:23 +0200 [thread overview]
Message-ID: <57B38CF7.5080803@oracle.com> (raw)
In-Reply-To: <1532b6c4-c618-348c-d36a-9679d5d5a1b4-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
On 08/16/2016 10:21 PM, Michael Kerrisk (man-pages) wrote:
>>> @@ -1132,8 +1136,8 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
>>> if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
>>> ret = -EPERM;
>>> goto out;
>>> - } else if ((too_many_pipe_buffers_hard(pipe->user) ||
>>> - too_many_pipe_buffers_soft(pipe->user)) &&
>>> + } else if ((too_many_pipe_buffers_hard(pipe->user, nr_pages) ||
>>> + too_many_pipe_buffers_soft(pipe->user, nr_pages)) &&
>>> !capable(CAP_SYS_RESOURCE) &&
>>> !capable(CAP_SYS_ADMIN)) {
>>> ret = -EPERM;
>>>
>>
>> Isn't there also a race where two or more concurrent pipe()/fnctl()
>> calls can together push us over the limits before the accounting is done?
>
> I guess there is!
>
>> I think there really ought to be a check after doing the accounting if
>> we really want to be meticulous here.
>
> Let me confirm what I understand from your comment: because of the race,
> then a user could subvert the checks and allocate an arbitrary amount
> of kernel memory for pipes. Right?
>
> I'm not sure what you mean by "a check after doing the accounting". Is not the
> only solution here some kind of lock around the check+accounting steps?
Instead of doing atomic_long_read() in the check + atomic_long_add() for
accounting we could do a single speculative atomic_long_add_return() and
then if it goes above the limit we can lower it again with atomic_sub()
when aborting the operation (if it doesn't go above the limit we don't
need to do anything).
Vegard
WARNING: multiple messages have this Message-ID (diff)
From: Vegard Nossum <vegard.nossum@oracle.com>
To: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>
Cc: Willy Tarreau <w@1wt.eu>,
socketpair@gmail.com,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Jens Axboe <axboe@fb.com>, Al Viro <viro@zeniv.linux.org.uk>,
stable@vger.kernel.org, linux-api@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] pipe: make pipe user buffer limit checks more precise
Date: Wed, 17 Aug 2016 00:00:23 +0200 [thread overview]
Message-ID: <57B38CF7.5080803@oracle.com> (raw)
In-Reply-To: <1532b6c4-c618-348c-d36a-9679d5d5a1b4@gmail.com>
On 08/16/2016 10:21 PM, Michael Kerrisk (man-pages) wrote:
>>> @@ -1132,8 +1136,8 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
>>> if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
>>> ret = -EPERM;
>>> goto out;
>>> - } else if ((too_many_pipe_buffers_hard(pipe->user) ||
>>> - too_many_pipe_buffers_soft(pipe->user)) &&
>>> + } else if ((too_many_pipe_buffers_hard(pipe->user, nr_pages) ||
>>> + too_many_pipe_buffers_soft(pipe->user, nr_pages)) &&
>>> !capable(CAP_SYS_RESOURCE) &&
>>> !capable(CAP_SYS_ADMIN)) {
>>> ret = -EPERM;
>>>
>>
>> Isn't there also a race where two or more concurrent pipe()/fnctl()
>> calls can together push us over the limits before the accounting is done?
>
> I guess there is!
>
>> I think there really ought to be a check after doing the accounting if
>> we really want to be meticulous here.
>
> Let me confirm what I understand from your comment: because of the race,
> then a user could subvert the checks and allocate an arbitrary amount
> of kernel memory for pipes. Right?
>
> I'm not sure what you mean by "a check after doing the accounting". Is not the
> only solution here some kind of lock around the check+accounting steps?
Instead of doing atomic_long_read() in the check + atomic_long_add() for
accounting we could do a single speculative atomic_long_add_return() and
then if it goes above the limit we can lower it again with atomic_sub()
when aborting the operation (if it doesn't go above the limit we don't
need to do anything).
Vegard
next prev parent reply other threads:[~2016-08-16 22:00 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-16 11:10 [PATCH 1/2] pipe: check limits only when increasing pipe capacity Michael Kerrisk (man-pages)
2016-08-16 11:14 ` [PATCH 2/2] pipe: make pipe user buffer limit checks more precise Michael Kerrisk (man-pages)
2016-08-16 12:07 ` Vegard Nossum
2016-08-16 20:21 ` Michael Kerrisk (man-pages)
[not found] ` <1532b6c4-c618-348c-d36a-9679d5d5a1b4-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-08-16 22:00 ` Vegard Nossum [this message]
2016-08-16 22:00 ` Vegard Nossum
[not found] ` <57B38CF7.5080803-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2016-08-17 8:02 ` Michael Kerrisk (man-pages)
2016-08-17 8:02 ` Michael Kerrisk (man-pages)
2016-08-17 19:34 ` Vegard Nossum
[not found] ` <57B4BC5B.9050405-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
2016-08-17 19:41 ` Michael Kerrisk (man-pages)
2016-08-17 19:41 ` Michael Kerrisk (man-pages)
[not found] ` <55f54f95-f614-179e-db4b-912adf2199bb-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-08-17 19:51 ` Vegard Nossum
2016-08-17 19:51 ` Vegard Nossum
[not found] ` <db82480c-7956-b89d-1f4e-ba2c94f4067e-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-08-19 5:07 ` Michael Kerrisk (man-pages)
2016-08-19 5:07 ` Michael Kerrisk (man-pages)
[not found] ` <86c85cff-7fee-cded-386a-e1d518573dda-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-08-16 11:55 ` [PATCH 1/2] pipe: check limits only when increasing pipe capacity Vegard Nossum
2016-08-16 11:55 ` Vegard Nossum
2016-08-19 5:07 ` Michael Kerrisk (man-pages)
2016-08-19 5:07 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57B38CF7.5080803@oracle.com \
--to=vegard.nossum-qhclzuegtsvqt0dzr+alfa@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=axboe-b10kYP2dOMg@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=penguin-kernel-JPay3/Yim36HaxMnTkn67Xf5DAMn2ifp@public.gmane.org \
--cc=socketpair-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.