From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from userp1040.oracle.com ([156.151.31.81]:37513 "EHLO
	userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752152AbcHPWBJ (ORCPT
	<rfc822;stable@vger.kernel.org>); Tue, 16 Aug 2016 18:01:09 -0400
Subject: Re: [PATCH 2/2] pipe: make pipe user buffer limit checks more precise
To: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
	Andrew Morton <akpm@linux-foundation.org>
References: <86c85cff-7fee-cded-386a-e1d518573dda@gmail.com>
 <db82480c-7956-b89d-1f4e-ba2c94f4067e@gmail.com>
 <57B301FE.9090108@oracle.com>
 <1532b6c4-c618-348c-d36a-9679d5d5a1b4@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>, socketpair@gmail.com,
	Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
	Jens Axboe <axboe@fb.com>, Al Viro <viro@zeniv.linux.org.uk>,
	stable@vger.kernel.org, linux-api@vger.kernel.org,
	linux-kernel@vger.kernel.org
From: Vegard Nossum <vegard.nossum@oracle.com>
Message-ID: <57B38CF7.5080803@oracle.com>
Date: Wed, 17 Aug 2016 00:00:23 +0200
MIME-Version: 1.0
In-Reply-To: <1532b6c4-c618-348c-d36a-9679d5d5a1b4@gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On 08/16/2016 10:21 PM, Michael Kerrisk (man-pages) wrote:
>>> @@ -1132,8 +1136,8 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
>>>    			if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
>>>    				ret = -EPERM;
>>>    				goto out;
>>> -			} else if ((too_many_pipe_buffers_hard(pipe->user) ||
>>> -				too_many_pipe_buffers_soft(pipe->user)) &&
>>> +			} else if ((too_many_pipe_buffers_hard(pipe->user, nr_pages) ||
>>> +				too_many_pipe_buffers_soft(pipe->user, nr_pages)) &&
>>>    				!capable(CAP_SYS_RESOURCE) &&
>>>    				!capable(CAP_SYS_ADMIN)) {
>>>    				ret = -EPERM;
>>>
>>
>> Isn't there also a race where two or more concurrent pipe()/fnctl()
>> calls can together push us over the limits before the accounting is done?
>
> I guess there is!
>
>> I think there really ought to be a check after doing the accounting if
>> we really want to be meticulous here.
>
> Let me confirm what I understand from your comment: because of the race,
> then a user could subvert the checks and allocate an arbitrary amount
> of kernel memory for pipes. Right?
>
> I'm not sure what you mean by "a check after doing the accounting". Is not the
> only solution here some kind of lock around the check+accounting steps?

Instead of doing atomic_long_read() in the check + atomic_long_add() for
accounting we could do a single speculative atomic_long_add_return() and
then if it goes above the limit we can lower it again with atomic_sub()
when aborting the operation (if it doesn't go above the limit we don't
need to do anything).


Vegard