From: Eric Sandeen <sandeen@sandeen.net>
To: Eric Sandeen <sandeen@redhat.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
fsdevel <linux-fsdevel@vger.kernel.org>,
netdev@vger.kernel.org
Cc: Luis Chamberlain <mcgrof@kernel.org>, Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH] sysctl: Fix proc_do_large_bitmap for large input buffers
Date: Mon, 4 Mar 2019 22:43:09 -0600 [thread overview]
Message-ID: <0ffd0eea-ca64-0128-2835-a9856b224e07@sandeen.net> (raw)
In-Reply-To: <53be40fc-6ec4-c714-a64e-f69c96f7058f@redhat.com>
On 2/20/19 5:32 PM, Eric Sandeen wrote:
> Today, proc_do_large_bitmap() truncates a large write input buffer
> to PAGE_SIZE - 1, which may result in misparsed numbers at the
> (truncated) end of the buffer. Further, it fails to notify the caller
> that the buffer was truncated, so it doesn't get called iteratively
> to finish the entire input buffer.
>
> Tell the caller if there's more work to do by adding the skipped
> amount back to left/*lenp before returning.
>
> To fix the misparsing, reset the position if we have completely
> consumed a truncated buffer (or if just one char is left, which
> may be a "-" in a range), and ask the caller to come back for
> more.
>
> Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Would be nice to fix this bug. I submitted the test node patch as well
as an attempt to integrate it into the test harness, though there's
wonkiness there still, and I could use more experienced eyes.
Can we move this forward?
Thanks,
-Eric
> ---
>
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index ba4d9e85feb8..970a96659809 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -3089,9 +3089,13 @@ int proc_do_large_bitmap(struct ctl_table *table, int write,
>
> if (write) {
> char *kbuf, *p;
> + size_t skipped = 0;
>
> - if (left > PAGE_SIZE - 1)
> + if (left > PAGE_SIZE - 1) {
> left = PAGE_SIZE - 1;
> + /* How much of the buffer we'll skip this pass */
> + skipped = *lenp - left;
> + }
>
> p = kbuf = memdup_user_nul(buffer, left);
> if (IS_ERR(kbuf))
> @@ -3108,9 +3112,22 @@ int proc_do_large_bitmap(struct ctl_table *table, int write,
> while (!err && left) {
> unsigned long val_a, val_b;
> bool neg;
> + size_t saved_left;
>
> + /* In case we stop parsing mid-number, we can reset */
> + saved_left = left;
> err = proc_get_long(&p, &left, &val_a, &neg, tr_a,
> sizeof(tr_a), &c);
> + /*
> + * If we consumed the entirety of a truncated buffer or
> + * only one char is left (may be a "-"), then stop here,
> + * reset, & come back for more.
> + */
> + if ((left <= 1) && skipped) {
> + left = saved_left;
> + break;
> + }
> +
> if (err)
> break;
> if (val_a >= bitmap_len || neg) {
> @@ -3128,6 +3145,15 @@ int proc_do_large_bitmap(struct ctl_table *table, int write,
> err = proc_get_long(&p, &left, &val_b,
> &neg, tr_b, sizeof(tr_b),
> &c);
> + /*
> + * If we consumed all of a truncated buffer or
> + * then stop here, reset, & come back for more.
> + */
> + if (!left && skipped) {
> + left = saved_left;
> + break;
> + }
> +
> if (err)
> break;
> if (val_b >= bitmap_len || neg ||
> @@ -3146,6 +3172,7 @@ int proc_do_large_bitmap(struct ctl_table *table, int write,
> proc_skip_char(&p, &left, '\n');
> }
> kfree(kbuf);
> + left += skipped;
> } else {
> unsigned long bit_a, bit_b = 0;
>
>
>
next prev parent reply other threads:[~2019-03-05 4:43 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-20 23:32 [PATCH] sysctl: Fix proc_do_large_bitmap for large input buffers Eric Sandeen
2019-02-20 23:35 ` Eric Sandeen
2019-02-21 15:18 ` Luis Chamberlain
2019-02-21 17:47 ` Eric Sandeen
2019-02-21 17:52 ` Luis Chamberlain
2019-02-21 17:59 ` Eric Sandeen
2019-02-21 17:45 ` [PATCH] sysctl: add proc_do_large_bitmap test node Eric Sandeen
2019-02-21 18:40 ` Kees Cook
2019-02-21 18:43 ` [PATCH] test_sysctl: add proc_do_large_bitmap test function Eric Sandeen
2019-02-21 19:01 ` Eric Sandeen
2019-02-21 19:16 ` [PATCH V2] " Eric Sandeen
2019-03-05 4:43 ` Eric Sandeen [this message]
2019-03-19 15:30 ` [PATCH] sysctl: Fix proc_do_large_bitmap for large input buffers Luis Chamberlain
2019-03-19 15:57 ` Luis Chamberlain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0ffd0eea-ca64-0128-2835-a9856b224e07@sandeen.net \
--to=sandeen@sandeen.net \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sandeen@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox