[thirdparty/kernel/stable-queue.git] / queue-4.14 / sysctl-return-einval-if-val-violates-minmax.patch

From 34c151fde52a22d6b02c2fe85542e393ee5ac0b3 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian@brauner.io>
Date: Tue, 14 May 2019 15:44:55 -0700
Subject: sysctl: return -EINVAL if val violates minmax

[ Upstream commit e260ad01f0aa9e96b5386d5cd7184afd949dc457 ]

Currently when userspace gives us a values that overflow e.g.  file-max
and other callers of __do_proc_doulongvec_minmax() we simply ignore the
new value and leave the current value untouched.

This can be problematic as it gives the illusion that the limit has
indeed be bumped when in fact it failed.  This commit makes sure to
return EINVAL when an overflow is detected.  Please note that this is a
userspace facing change.

Link: http://lkml.kernel.org/r/20190210203943.8227-4-christian@brauner.io
Signed-off-by: Christian Brauner <christian@brauner.io>
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Joe Lawrence <joe.lawrence@redhat.com>
Cc: Waiman Long <longman@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/sysctl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index f13601a616ad..cfc2c0d1369a 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2732,8 +2732,10 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int
 			if (neg)
 				continue;
 			val = convmul * val / convdiv;
-			if ((min && val < *min) || (max && val > *max))
-				continue;
+			if ((min && val < *min) || (max && val > *max)) {
+				err = -EINVAL;
+				break;
+			}
 			*i = val;
 		} else {
 			val = convdiv * (*i) / convmul;
-- 
2.20.1
Commit	Line	Data
6e4ffbcf SL	1	From 34c151fde52a22d6b02c2fe85542e393ee5ac0b3 Mon Sep 17 00:00:00 2001
	2	From: Christian Brauner <christian@brauner.io>
	3	Date: Tue, 14 May 2019 15:44:55 -0700
	4	Subject: sysctl: return -EINVAL if val violates minmax
	5
	6	[ Upstream commit e260ad01f0aa9e96b5386d5cd7184afd949dc457 ]
	7
	8	Currently when userspace gives us a values that overflow e.g. file-max
	9	and other callers of __do_proc_doulongvec_minmax() we simply ignore the
	10	new value and leave the current value untouched.
	11
	12	This can be problematic as it gives the illusion that the limit has
	13	indeed be bumped when in fact it failed. This commit makes sure to
	14	return EINVAL when an overflow is detected. Please note that this is a
	15	userspace facing change.
	16
	17	Link: http://lkml.kernel.org/r/20190210203943.8227-4-christian@brauner.io
	18	Signed-off-by: Christian Brauner <christian@brauner.io>
	19	Acked-by: Luis Chamberlain <mcgrof@kernel.org>
	20	Cc: Kees Cook <keescook@chromium.org>
	21	Cc: Alexey Dobriyan <adobriyan@gmail.com>
	22	Cc: Al Viro <viro@zeniv.linux.org.uk>
	23	Cc: Dominik Brodowski <linux@dominikbrodowski.net>
	24	Cc: "Eric W. Biederman" <ebiederm@xmission.com>
	25	Cc: Joe Lawrence <joe.lawrence@redhat.com>
	26	Cc: Waiman Long <longman@redhat.com>
	27	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	28	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	29	Signed-off-by: Sasha Levin <sashal@kernel.org>
	30	---
	31	kernel/sysctl.c \| 6 ++++--
	32	1 file changed, 4 insertions(+), 2 deletions(-)
	33
	34	diff --git a/kernel/sysctl.c b/kernel/sysctl.c
	35	index f13601a616ad..cfc2c0d1369a 100644
	36	--- a/kernel/sysctl.c
	37	+++ b/kernel/sysctl.c
	38	@@ -2732,8 +2732,10 @@ static int __do_proc_doulongvec_minmax(void data, struct ctl_table table, int
	39	if (neg)
	40	continue;
	41	val = convmul * val / convdiv;
	42	- if ((min && val < min) \|\| (max && val > max))
	43	- continue;
	44	+ if ((min && val < min) \|\| (max && val > max)) {
	45	+ err = -EINVAL;
	46	+ break;
	47	+ }
	48	*i = val;
	49	} else {
	50	val = convdiv * (*i) / convmul;
	51	--
	52	2.20.1
	53