Re: [PATCH] sysctl: Make sure proc handlers can't expose heap memory

From: Luis Chamberlain
Date: Mon May 04 2020 - 15:59:42 EST


On Mon, May 04, 2020 at 12:08:55PM -0700, Kees Cook wrote:
> Just as a precaution, make sure that proc handlers don't accidentally
> grow "count" beyond the allocated kbuf size.
>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
> ---
> This applies to hch's sysctl cleanup tree...
> ---
> fs/proc/proc_sysctl.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
> index 15030784566c..535ab26473af 100644
> --- a/fs/proc/proc_sysctl.c
> +++ b/fs/proc/proc_sysctl.c
> @@ -546,6 +546,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
> struct inode *inode = file_inode(filp);
> struct ctl_table_header *head = grab_header(inode);
> struct ctl_table *table = PROC_I(inode)->sysctl_entry;
> + size_t count_max = count;
> void *kbuf;
> ssize_t error;
>
> @@ -590,6 +591,8 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
>
> if (!write) {
> error = -EFAULT;
> + if (WARN_ON(count > count_max))
> + count = count_max;

That crash a system with panic-on-warn. I don't think we want that?

Luis