4.9-stable review patch. If anyone has any objections, please let me know.
------------------
[ Upstream commit 09be178400829dddc1189b50a7888495dd26aa84 ]
If the number of input parameters is less than the total parameters, an EINVAL error will be returned.
For example, we use proc_doulongvec_minmax to pass up to two parameters with kern_table:
{ .procname = "monitor_signals", .data = &monitor_sigs, .maxlen = 2*sizeof(unsigned long), .mode = 0644, .proc_handler = proc_doulongvec_minmax, },
Reproduce:
When passing two parameters, it's work normal. But passing only one parameter, an error "Invalid argument"(EINVAL) is returned.
[root@cl150 ~]# echo 1 2 > /proc/sys/kernel/monitor_signals [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals 1 2 [root@cl150 ~]# echo 3 > /proc/sys/kernel/monitor_signals -bash: echo: write error: Invalid argument [root@cl150 ~]# echo $? 1 [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals 3 2 [root@cl150 ~]#
The following is the result after apply this patch. No error is returned when the number of input parameters is less than the total parameters.
[root@cl150 ~]# echo 1 2 > /proc/sys/kernel/monitor_signals [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals 1 2 [root@cl150 ~]# echo 3 > /proc/sys/kernel/monitor_signals [root@cl150 ~]# echo $? 0 [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals 3 2 [root@cl150 ~]#
There are three processing functions dealing with digital parameters, __do_proc_dointvec/__do_proc_douintvec/__do_proc_doulongvec_minmax.
This patch deals with __do_proc_doulongvec_minmax, just as __do_proc_dointvec does, adding a check for parameters 'left'. In __do_proc_douintvec, its code implementation explicitly does not support multiple inputs.
static int __do_proc_douintvec(...){ ... /* * Arrays are not supported, keep this simple. *Do not* add * support for them. */ if (vleft != 1) { *lenp = 0; return -EINVAL; } ... }
So, just __do_proc_doulongvec_minmax has the problem. And most use of proc_doulongvec_minmax/proc_doulongvec_ms_jiffies_minmax just have one parameter.
Link: http://lkml.kernel.org/r/1544081775-15720-1-git-send-email-cheng.lin130@zte.... Signed-off-by: Cheng Lin cheng.lin130@zte.com.cn Acked-by: Luis Chamberlain mcgrof@kernel.org Reviewed-by: Kees Cook keescook@chromium.org Cc: Alexey Dobriyan adobriyan@gmail.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- kernel/sysctl.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 23f658d311c0..93c7b02279b9 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2503,6 +2503,8 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int bool neg;
left -= proc_skip_spaces(&p); + if (!left) + break;
err = proc_get_long(&p, &left, &val, &neg, proc_wspace_sep,