On Wed, Jan 10, 2018 at 9:28 PM, Eric Biggers <[email protected]> wrote: > This series simplifies the sysctl handler for pipe-max-size and fixes > another set of bugs related to the pipe buffer limits: > > - The root user wasn't allowed to exceed the limits when creating new > pipes. > > - There was an off-by-one error when checking the limits, so a limit of > N was actually treated as N - 1. > > - F_SETPIPE_SZ accepted values over UINT_MAX. > > - Reading the pipe buffer limits could be racy. > > Changed since v1: > > - Added "Fixes" tag to "pipe: fix off-by-one error when checking buffer > limits" > - In pipe_set_size(), checked 'nr_pages' rather than 'size' > - Fixed commit message for "pipe: simplify round_pipe_size()"
Thanks for the fixes! This looks good to me. Please consider the whole series: Acked-by: Kees Cook <[email protected]> -Kees > > Eric Biggers (7): > pipe, sysctl: drop 'min' parameter from pipe-max-size converter > pipe, sysctl: remove pipe_proc_fn() > pipe: actually allow root to exceed the pipe buffer limits > pipe: fix off-by-one error when checking buffer limits > pipe: reject F_SETPIPE_SZ with size over UINT_MAX > pipe: simplify round_pipe_size() > pipe: read buffer limits atomically > > fs/pipe.c | 57 > ++++++++++++++++++++--------------------------- > include/linux/pipe_fs_i.h | 5 ++--- > include/linux/sysctl.h | 3 --- > kernel/sysctl.c | 33 +++++---------------------- > 4 files changed, 32 insertions(+), 66 deletions(-) > > -- > 2.15.1 > -- Kees Cook Pixel Security
