From: Alexey Gladkov <legion@kernel.org>
To: Andrei Vagin <avagin@google.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Kees Cook <kees@kernel.org>,
Roman Gushchin <roman.gushchin@linux.dev>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] ucounts: fix counter leak in inc_rlimit_get_ucounts()
Date: Thu, 31 Oct 2024 10:50:44 +0100 [thread overview]
Message-ID: <ZyNS9J7TOQ84AkYz@example.org> (raw)
In-Reply-To: <20241031045602.309600-1-avagin@google.com>
On Thu, Oct 31, 2024 at 04:56:01AM +0000, Andrei Vagin wrote:
> The inc_rlimit_get_ucounts() increments the specified rlimit counter and
> then checks its limit. If the value exceeds the limit, the function
> returns an error without decrementing the counter.
>
> Fixes: 15bc01effefe ("ucounts: Fix signal ucount refcounting")
> Tested-by: Roman Gushchin <roman.gushchin@linux.dev>
> Co-debugged-by: Roman Gushchin <roman.gushchin@linux.dev>
> Cc: Kees Cook <kees@kernel.org>
> Cc: Andrei Vagin <avagin@google.com>
> Cc: "Eric W. Biederman" <ebiederm@xmission.com>
> Cc: Alexey Gladkov <legion@kernel.org>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrei Vagin <avagin@google.com>
> ---
> kernel/ucount.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/ucount.c b/kernel/ucount.c
> index 8c07714ff27d..16c0ea1cb432 100644
> --- a/kernel/ucount.c
> +++ b/kernel/ucount.c
> @@ -328,13 +328,12 @@ long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type)
> if (new != 1)
> continue;
> if (!get_ucounts(iter))
> - goto dec_unwind;
> + goto unwind;
> }
> return ret;
> -dec_unwind:
> +unwind:
> dec = atomic_long_sub_return(1, &iter->rlimit[type]);
> WARN_ON_ONCE(dec < 0);
> -unwind:
> do_dec_rlimit_put_ucounts(ucounts, iter, type);
> return 0;
> }
Agree. The do_dec_rlimit_put_ucounts() decreases rlimit up to iter but
does not include it.
Except for a small NAK because the patch changes goto for get_ucounts()
and not for rlimit overflow check.
Acked-by: Alexey Gladkov <legion@kernel.org>
--
Rgrds, legion
next prev parent reply other threads:[~2024-10-31 9:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-31 4:56 [PATCH] ucounts: fix counter leak in inc_rlimit_get_ucounts() Andrei Vagin
2024-10-31 9:50 ` Alexey Gladkov [this message]
2024-10-31 15:43 ` Andrei Vagin
2024-10-31 16:17 ` Roman Gushchin
2024-10-31 17:38 ` Roman Gushchin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZyNS9J7TOQ84AkYz@example.org \
--to=legion@kernel.org \
--cc=avagin@google.com \
--cc=ebiederm@xmission.com \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=roman.gushchin@linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.