Skip to content

Commit

Permalink
ipc, msg: forbid negative values for "msg{max,mnb,mni}"
Browse files Browse the repository at this point in the history
commit 9bf76ca325d5e9208eb343f7bd4cc666f703ed30 upstream.

Negative message lengths make no sense -- so don't do negative queue
lenghts or identifier counts. Prevent them from getting negative.

Also change the underlying data types to be unsigned to avoid hairy
surprises with sign extensions in cases where those variables get
evaluated in unsigned expressions with bigger data types, e.g size_t.

In case a user still wants to have "unlimited" sizes she could just use
INT_MAX instead.

Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
minipli authored and gregkh committed Dec 4, 2013
1 parent 4b825b9 commit a12503f
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 11 deletions.
6 changes: 3 additions & 3 deletions include/linux/ipc_namespace.h
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@ struct ipc_namespace {
int sem_ctls[4];
int used_sems;

int msg_ctlmax;
int msg_ctlmnb;
int msg_ctlmni;
unsigned int msg_ctlmax;
unsigned int msg_ctlmnb;
unsigned int msg_ctlmni;
atomic_t msg_bytes;
atomic_t msg_hdrs;
int auto_msgmni;
Expand Down
20 changes: 12 additions & 8 deletions ipc/ipc_sysctl.c
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ static int proc_ipc_dointvec_minmax_orphans(ctl_table *table, int write,
return err;
}

static int proc_ipc_callback_dointvec(ctl_table *table, int write,
static int proc_ipc_callback_dointvec_minmax(ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
struct ctl_table ipc_table;
Expand All @@ -72,7 +72,7 @@ static int proc_ipc_callback_dointvec(ctl_table *table, int write,
memcpy(&ipc_table, table, sizeof(ipc_table));
ipc_table.data = get_ipc(table);

rc = proc_dointvec(&ipc_table, write, buffer, lenp, ppos);
rc = proc_dointvec_minmax(&ipc_table, write, buffer, lenp, ppos);

if (write && !rc && lenp_bef == *lenp)
/*
Expand Down Expand Up @@ -152,15 +152,13 @@ static int proc_ipcauto_dointvec_minmax(ctl_table *table, int write,
#define proc_ipc_dointvec NULL
#define proc_ipc_dointvec_minmax NULL
#define proc_ipc_dointvec_minmax_orphans NULL
#define proc_ipc_callback_dointvec NULL
#define proc_ipc_callback_dointvec_minmax NULL
#define proc_ipcauto_dointvec_minmax NULL
#endif

static int zero;
static int one = 1;
#ifdef CONFIG_CHECKPOINT_RESTORE
static int int_max = INT_MAX;
#endif

static struct ctl_table ipc_kern_table[] = {
{
Expand Down Expand Up @@ -198,21 +196,27 @@ static struct ctl_table ipc_kern_table[] = {
.data = &init_ipc_ns.msg_ctlmax,
.maxlen = sizeof (init_ipc_ns.msg_ctlmax),
.mode = 0644,
.proc_handler = proc_ipc_dointvec,
.proc_handler = proc_ipc_dointvec_minmax,
.extra1 = &zero,
.extra2 = &int_max,
},
{
.procname = "msgmni",
.data = &init_ipc_ns.msg_ctlmni,
.maxlen = sizeof (init_ipc_ns.msg_ctlmni),
.mode = 0644,
.proc_handler = proc_ipc_callback_dointvec,
.proc_handler = proc_ipc_callback_dointvec_minmax,
.extra1 = &zero,
.extra2 = &int_max,
},
{
.procname = "msgmnb",
.data = &init_ipc_ns.msg_ctlmnb,
.maxlen = sizeof (init_ipc_ns.msg_ctlmnb),
.mode = 0644,
.proc_handler = proc_ipc_dointvec,
.proc_handler = proc_ipc_dointvec_minmax,
.extra1 = &zero,
.extra2 = &int_max,
},
{
.procname = "sem",
Expand Down

0 comments on commit a12503f

Please sign in to comment.