Linux-Fsdevel Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Josef Bacik <josef@toxicpanda.com>
To: hch@lst.de, viro@ZenIV.linux.org.uk,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	willy@infradead.org, kernel-team@fb.com
Subject: [PATCH 3/6] proc: allocate count + 1 for our read buffer
Date: Thu, 13 Aug 2020 17:04:08 -0400	[thread overview]
Message-ID: <20200813210411.905010-4-josef@toxicpanda.com> (raw)
In-Reply-To: <20200813210411.905010-1-josef@toxicpanda.com>

Al suggested that if we allocate enough space to add in the '\0'
character at the end of our strings, we could just use scnprintf() in
our ->proc_handler functions without having to be fancy about keeping
track of space.  There are a lot of these handlers, so the follow ups
will be separate, but start with allocating the extra byte to handle the
null termination of strings.

Signed-off-by: Josef Bacik <josef@toxicpanda.com>
---
 fs/proc/proc_sysctl.c | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 8e19bad83b45..446e7a949025 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -548,6 +548,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
 	struct ctl_table *table = PROC_I(inode)->sysctl_entry;
 	void *kbuf;
 	ssize_t error;
+	size_t orig_count = count;
 
 	if (IS_ERR(head))
 		return PTR_ERR(head);
@@ -577,9 +578,23 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
 			goto out;
 		}
 	} else {
-		kbuf = kvzalloc(count, GFP_KERNEL);
+		/*
+		 * To make our lives easier in ->proc_handler, we allocate an
+		 * extra byte to allow us to use scnprintf() for handling the
+		 * buffer output.  This works properly because scnprintf() will
+		 * only return the number of bytes that it was able to write
+		 * out, _NOT_ including the NULL byte.  This means the handler's
+		 * will only ever return a maximum of count as what they've
+		 * copied.
+		 *
+		 * HOWEVER, we do not assume that ->proc_handlers are without
+		 * bugs, so further down we'll do an extra check to make sure
+		 * that count isn't larger than the orig_count.
+		 */
+		kbuf = kvzalloc(count + 1, GFP_KERNEL);
 		if (!kbuf)
 			goto out;
+		count += 1;
 	}
 
 	error = BPF_CGROUP_RUN_PROG_SYSCTL(head, table, write, &kbuf, &count,
@@ -593,6 +608,13 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
 		goto out_free_buf;
 
 	if (!write) {
+		/*
+		 * This shouldn't happen, but those are the last words before
+		 * somebody adds a security vulnerability, so just make sure
+		 * that count isn't larger than orig_count.
+		 */
+		if (count > orig_count)
+			count = orig_count;
 		error = -EFAULT;
 		if (copy_to_user(ubuf, kbuf, count))
 			goto out_free_buf;
-- 
2.24.1


  parent reply	other threads:[~2020-08-13 21:04 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-13 21:04 [PATCH 0/6] Some buffer management fixes for proc Josef Bacik
2020-08-13 21:04 ` [PATCH 1/6] proc: use vmalloc for our kernel buffer Josef Bacik
2020-09-01 15:14   ` Christoph Hellwig
2020-08-13 21:04 ` [PATCH 2/6] tree-wide: rename vmemdup_user to kvmemdup_user Josef Bacik
2020-09-01 15:14   ` Christoph Hellwig
2020-08-13 21:04 ` Josef Bacik [this message]
2020-09-01 15:14   ` [PATCH 3/6] proc: allocate count + 1 for our read buffer Christoph Hellwig
2020-08-13 21:04 ` [PATCH 4/6] sysctl: make proc_put_long() use scnprintf Josef Bacik
2020-09-01 15:15   ` Christoph Hellwig
2020-08-13 21:04 ` [PATCH 5/6] parport: rework procfs handlers to take advantage of the new buffer Josef Bacik
2020-09-01 15:15   ` Christoph Hellwig
2020-08-13 21:04 ` [PATCH 6/6] sunrpc: rework proc " Josef Bacik
2020-09-01 15:15   ` Christoph Hellwig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200813210411.905010-4-josef@toxicpanda.com \
    --to=josef@toxicpanda.com \
    --cc=hch@lst.de \
    --cc=kernel-team@fb.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=viro@ZenIV.linux.org.uk \
    --cc=willy@infradead.org \
    --subject='Re: [PATCH 3/6] proc: allocate count + 1 for our read buffer' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).