From owner-svn-src-all@FreeBSD.ORG  Thu Aug 16 07:29:31 2012
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 309CC106566C;
	Thu, 16 Aug 2012 07:29:31 +0000 (UTC)
	(envelope-from peter@rulingia.com)
Received: from vps.rulingia.com (host-122-100-2-194.octopus.com.au
	[122.100.2.194])
	by mx1.freebsd.org (Postfix) with ESMTP id B547B8FC16;
	Thu, 16 Aug 2012 07:29:29 +0000 (UTC)
Received: from server.rulingia.com
	(c220-239-249-137.belrs5.nsw.optusnet.com.au [220.239.249.137])
	by vps.rulingia.com (8.14.5/8.14.5) with ESMTP id q7G7TMLM019922
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Thu, 16 Aug 2012 17:29:23 +1000 (EST)
	(envelope-from peter@rulingia.com)
X-Bogosity: Ham, spamicity=0.000000
Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1])
	by server.rulingia.com (8.14.5/8.14.5) with ESMTP id q7G7THG7012428
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 16 Aug 2012 17:29:17 +1000 (EST)
	(envelope-from peter@server.rulingia.com)
Received: (from peter@localhost)
	by server.rulingia.com (8.14.5/8.14.5/Submit) id q7G7THj4012427;
	Thu, 16 Aug 2012 17:29:17 +1000 (EST) (envelope-from peter)
Date: Thu, 16 Aug 2012 17:29:16 +1000
From: Peter Jeremy <peter@rulingia.com>
To: Konstantin Belousov <kib@freebsd.org>
Message-ID: <20120816072916.GA12294@server.rulingia.com>
References: <201208151556.q7FFuLnM076015@svn.freebsd.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB"
Content-Disposition: inline
In-Reply-To: <201208151556.q7FFuLnM076015@svn.freebsd.org>
X-PGP-Key: http://www.rulingia.com/keys/peter.pgp
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org,
	src-committers@freebsd.org
Subject: Re: svn commit: r239301 - in head/sys: kern nlm sys
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Aug 2012 07:29:31 -0000


--DocE+STaALJfprDB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2012-Aug-15 15:56:21 +0000, Konstantin Belousov <kib@freebsd.org> wrote:
>  Add a sysctl kern.pid_max, which limits the maximum pid the system is
>  allowed to allocate, and corresponding tunable with the same
>  name. Note that existing processes with higher pids are left intact.

Sorry for not picking this up when you first posted the patch but I
think you need to place a lower bound on max_pid to prevent the system
being rendered unusable.

>Modified: head/sys/kern/kern_fork.c
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
>--- head/sys/kern/kern_fork.c	Wed Aug 15 15:53:27 2012	(r239300)
>+++ head/sys/kern/kern_fork.c	Wed Aug 15 15:56:21 2012	(r239301)
>@@ -209,8 +209,8 @@ sysctl_kern_randompid(SYSCTL_HANDLER_ARG
> 	pid =3D randompid;
> 	error =3D sysctl_handle_int(oidp, &pid, 0, req);
> 	if (error =3D=3D 0 && req->newptr !=3D NULL) {
>-		if (pid < 0 || pid > PID_MAX - 100)	/* out of range */
>-			pid =3D PID_MAX - 100;
>+		if (pid < 0 || pid > pid_max - 100)	/* out of range */
>+			pid =3D pid_max - 100;

Setting max_pid to a value less than 100 will have an undesirable effect he=
re.

>+static int
>+sysctl_kern_pid_max(SYSCTL_HANDLER_ARGS)
>+{
>+	int error, pm;
>+
>+	pm =3D pid_max;
>+	error =3D sysctl_handle_int(oidp, &pm, 0, req);
>+	if (error || !req->newptr)
>+		return (error);
>+	sx_xlock(&proctree_lock);
>+	sx_xlock(&allproc_lock);
>+	/* Only permit the values less then PID_MAX. */
>+	if (pm > PID_MAX)
>+		error =3D EINVAL;
>+	else
>+		pid_max =3D pm;
>+	sx_xunlock(&allproc_lock);
>+	sx_xunlock(&proctree_lock);
>+	return (error);
>+}
>+SYSCTL_PROC(_kern, OID_AUTO, pid_max, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_=
TUN |
>+    CTLFLAG_MPSAFE, 0, 0, sysctl_kern_pid_max, "I",
>+    "Maximum allowed pid");

I don't see anything in this code that would prevent setting max_pid
to an unusably low (as in making the system unusable) or even negative
value

>+	TUNABLE_INT_FETCH("kern.pid_max", &pid_max);
>+	if (pid_max > PID_MAX)
>+		pid_max =3D PID_MAX;
> }

Likewise, this needs a lower bounds check.

--=20
Peter Jeremy

--DocE+STaALJfprDB
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlAsoUwACgkQ/opHv/APuIecLgCfb6vRgonlR0UnIf6f6pMioKiK
ki8AnjX7t4aEvoCr+EChC6MRSHF31fQy
=e8AG
-----END PGP SIGNATURE-----

--DocE+STaALJfprDB--