]>
Commit | Line | Data |
---|---|---|
cd033818 SL |
1 | From 5e5570c4ae0a12ae1deea4615f8669a5ceb0330d Mon Sep 17 00:00:00 2001 |
2 | From: Christian Brauner <christian@brauner.io> | |
3 | Date: Tue, 14 May 2019 15:44:55 -0700 | |
4 | Subject: sysctl: return -EINVAL if val violates minmax | |
5 | ||
6 | [ Upstream commit e260ad01f0aa9e96b5386d5cd7184afd949dc457 ] | |
7 | ||
8 | Currently when userspace gives us a values that overflow e.g. file-max | |
9 | and other callers of __do_proc_doulongvec_minmax() we simply ignore the | |
10 | new value and leave the current value untouched. | |
11 | ||
12 | This can be problematic as it gives the illusion that the limit has | |
13 | indeed be bumped when in fact it failed. This commit makes sure to | |
14 | return EINVAL when an overflow is detected. Please note that this is a | |
15 | userspace facing change. | |
16 | ||
17 | Link: http://lkml.kernel.org/r/20190210203943.8227-4-christian@brauner.io | |
18 | Signed-off-by: Christian Brauner <christian@brauner.io> | |
19 | Acked-by: Luis Chamberlain <mcgrof@kernel.org> | |
20 | Cc: Kees Cook <keescook@chromium.org> | |
21 | Cc: Alexey Dobriyan <adobriyan@gmail.com> | |
22 | Cc: Al Viro <viro@zeniv.linux.org.uk> | |
23 | Cc: Dominik Brodowski <linux@dominikbrodowski.net> | |
24 | Cc: "Eric W. Biederman" <ebiederm@xmission.com> | |
25 | Cc: Joe Lawrence <joe.lawrence@redhat.com> | |
26 | Cc: Waiman Long <longman@redhat.com> | |
27 | Signed-off-by: Andrew Morton <akpm@linux-foundation.org> | |
28 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | |
29 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
30 | --- | |
31 | kernel/sysctl.c | 6 ++++-- | |
32 | 1 file changed, 4 insertions(+), 2 deletions(-) | |
33 | ||
34 | diff --git a/kernel/sysctl.c b/kernel/sysctl.c | |
35 | index c140659db669..24c7fe8608d0 100644 | |
36 | --- a/kernel/sysctl.c | |
37 | +++ b/kernel/sysctl.c | |
38 | @@ -2461,8 +2461,10 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int | |
39 | if (neg) | |
40 | continue; | |
41 | val = convmul * val / convdiv; | |
42 | - if ((min && val < *min) || (max && val > *max)) | |
43 | - continue; | |
44 | + if ((min && val < *min) || (max && val > *max)) { | |
45 | + err = -EINVAL; | |
46 | + break; | |
47 | + } | |
48 | *i = val; | |
49 | } else { | |
50 | val = convdiv * (*i) / convmul; | |
51 | -- | |
52 | 2.20.1 | |
53 |