tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

net/ipv4: ping_group_range: allow GID from 2147483648 to 4294967294

With this commit, all the GIDs ("0 4294967294") can be written to the
"net.ipv4.ping_group_range" sysctl.

Note that 4294967295 (0xffffffff) is an invalid GID (see gid_valid() in
include/linux/uidgid.h), and an attempt to register this number will cause
-EINVAL.

Prior to this commit, only up to GID 2147483647 could be covered.
Documentation/networking/ip-sysctl.rst had "0 4294967295" as an example
value, but this example was wrong and causing -EINVAL.

Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Co-developed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Akihiro Suda and committed by
David S. Miller e209fee4 5a59a58e

+7 -11
+2 -2
Documentation/networking/ip-sysctl.rst
··· 1352 1352 Restrict ICMP_PROTO datagram sockets to users in the group range. 1353 1353 The default is "1 0", meaning, that nobody (not even root) may 1354 1354 create ping sockets. Setting it to "100 100" would grant permissions 1355 - to the single group. "0 4294967295" would enable it for the world, "100 1356 - 4294967295" would enable it for the users, but not daemons. 1355 + to the single group. "0 4294967294" would enable it for the world, "100 1356 + 4294967294" would enable it for the users, but not daemons. 1357 1357 1358 1358 tcp_early_demux - BOOLEAN 1359 1359 Enable early demux for established TCP sockets.
+1 -5
include/net/ping.h
··· 16 16 #define PING_HTABLE_SIZE 64 17 17 #define PING_HTABLE_MASK (PING_HTABLE_SIZE-1) 18 18 19 - /* 20 - * gid_t is either uint or ushort. We want to pass it to 21 - * proc_dointvec_minmax(), so it must not be larger than MAX_INT 22 - */ 23 - #define GID_T_MAX (((gid_t)~0U) >> 1) 19 + #define GID_T_MAX (((gid_t)~0U) - 1) 24 20 25 21 /* Compatibility glue so we can support IPv6 when it's compiled as a module */ 26 22 struct pingv6_ops {
+4 -4
net/ipv4/sysctl_net_ipv4.c
··· 34 34 static int ip_ttl_max = 255; 35 35 static int tcp_syn_retries_min = 1; 36 36 static int tcp_syn_retries_max = MAX_TCP_SYNCNT; 37 - static int ip_ping_group_range_min[] = { 0, 0 }; 38 - static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; 37 + static unsigned long ip_ping_group_range_min[] = { 0, 0 }; 38 + static unsigned long ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX }; 39 39 static u32 u32_max_div_HZ = UINT_MAX / HZ; 40 40 static int one_day_secs = 24 * 3600; 41 41 static u32 fib_multipath_hash_fields_all_mask __maybe_unused = ··· 165 165 { 166 166 struct user_namespace *user_ns = current_user_ns(); 167 167 int ret; 168 - gid_t urange[2]; 168 + unsigned long urange[2]; 169 169 kgid_t low, high; 170 170 struct ctl_table tmp = { 171 171 .data = &urange, ··· 178 178 inet_get_ping_group_range_table(table, &low, &high); 179 179 urange[0] = from_kgid_munged(user_ns, low); 180 180 urange[1] = from_kgid_munged(user_ns, high); 181 - ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); 181 + ret = proc_doulongvec_minmax(&tmp, write, buffer, lenp, ppos); 182 182 183 183 if (write && ret == 0) { 184 184 low = make_kgid(user_ns, urange[0]);