Re: [PATCH] net/qrtr: restrict user-controlled length in qrtr_tun_write_iter()
On 2/2/21 10:20 AM, Sabyrzhan Tasbolatov wrote: > syzbot found WARNING in qrtr_tun_write_iter [1] when write_iter length > exceeds KMALLOC_MAX_SIZE causing order >= MAX_ORDER condition. > > Additionally, there is no check for 0 length write. > > [1] > WARNING: mm/page_alloc.c:5011 > [..] > Call Trace: > alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267 > alloc_pages include/linux/gfp.h:547 [inline] > kmalloc_order+0x2e/0xb0 mm/slab_common.c:837 > kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853 > kmalloc include/linux/slab.h:557 [inline] > kzalloc include/linux/slab.h:682 [inline] > qrtr_tun_write_iter+0x8a/0x180 net/qrtr/tun.c:83 > call_write_iter include/linux/fs.h:1901 [inline] > > Reported-by: syzbot+c2a7e5c5211605a90...@syzkaller.appspotmail.com > Signed-off-by: Sabyrzhan Tasbolatov > --- > net/qrtr/tun.c | 6 ++ > 1 file changed, 6 insertions(+) > > diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c > index 15ce9b642b25..b238c40a9984 100644 > --- a/net/qrtr/tun.c > +++ b/net/qrtr/tun.c > @@ -80,6 +80,12 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, > struct iov_iter *from) > ssize_t ret; > void *kbuf; > > + if (!len) > + return -EINVAL; > + > + if (len > KMALLOC_MAX_SIZE) > + return -ENOMEM; Probably not enough. qrtr_endpoint_post() will later attempt a netdev_alloc_skb() which will need some extra space (for struct skb_shared_info) Do we really expect to accept huge lengths here ? > + > kbuf = kzalloc(len, GFP_KERNEL); > if (!kbuf) > return -ENOMEM; >
Re: [PATCH] net/qrtr: restrict user-controlled length in qrtr_tun_write_iter()
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Tue, 2 Feb 2021 15:20:59 +0600 you wrote: > syzbot found WARNING in qrtr_tun_write_iter [1] when write_iter length > exceeds KMALLOC_MAX_SIZE causing order >= MAX_ORDER condition. > > Additionally, there is no check for 0 length write. > > [1] > WARNING: mm/page_alloc.c:5011 > [..] > Call Trace: > alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267 > alloc_pages include/linux/gfp.h:547 [inline] > kmalloc_order+0x2e/0xb0 mm/slab_common.c:837 > kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853 > kmalloc include/linux/slab.h:557 [inline] > kzalloc include/linux/slab.h:682 [inline] > qrtr_tun_write_iter+0x8a/0x180 net/qrtr/tun.c:83 > call_write_iter include/linux/fs.h:1901 [inline] > > [...] Here is the summary with links: - net/qrtr: restrict user-controlled length in qrtr_tun_write_iter() https://git.kernel.org/netdev/net/c/2a80c1581237 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
Re: [PATCH] net/qrtr: restrict user-controlled length in qrtr_tun_write_iter()
On Tue, 2 Feb 2021 15:20:59 +0600 Sabyrzhan Tasbolatov wrote: > syzbot found WARNING in qrtr_tun_write_iter [1] when write_iter length > exceeds KMALLOC_MAX_SIZE causing order >= MAX_ORDER condition. > > Additionally, there is no check for 0 length write. > > [1] > WARNING: mm/page_alloc.c:5011 > [..] > Call Trace: > alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267 > alloc_pages include/linux/gfp.h:547 [inline] > kmalloc_order+0x2e/0xb0 mm/slab_common.c:837 > kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853 > kmalloc include/linux/slab.h:557 [inline] > kzalloc include/linux/slab.h:682 [inline] > qrtr_tun_write_iter+0x8a/0x180 net/qrtr/tun.c:83 > call_write_iter include/linux/fs.h:1901 [inline] > > Reported-by: syzbot+c2a7e5c5211605a90...@syzkaller.appspotmail.com > Signed-off-by: Sabyrzhan Tasbolatov > --- > net/qrtr/tun.c | 6 ++ > 1 file changed, 6 insertions(+) > > diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c > index 15ce9b642b25..b238c40a9984 100644 > --- a/net/qrtr/tun.c > +++ b/net/qrtr/tun.c > @@ -80,6 +80,12 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, > struct iov_iter *from) > ssize_t ret; > void *kbuf; > > + if (!len) > + return -EINVAL; > + > + if (len > KMALLOC_MAX_SIZE) > + return -ENOMEM; > + > kbuf = kzalloc(len, GFP_KERNEL); For potential, separate clean up - this is followed by copy_from_iter_full(len) kzalloc() can probably be replaced by kmalloc()? > if (!kbuf) > return -ENOMEM;
[PATCH] net/qrtr: restrict user-controlled length in qrtr_tun_write_iter()
syzbot found WARNING in qrtr_tun_write_iter [1] when write_iter length exceeds KMALLOC_MAX_SIZE causing order >= MAX_ORDER condition. Additionally, there is no check for 0 length write. [1] WARNING: mm/page_alloc.c:5011 [..] Call Trace: alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267 alloc_pages include/linux/gfp.h:547 [inline] kmalloc_order+0x2e/0xb0 mm/slab_common.c:837 kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853 kmalloc include/linux/slab.h:557 [inline] kzalloc include/linux/slab.h:682 [inline] qrtr_tun_write_iter+0x8a/0x180 net/qrtr/tun.c:83 call_write_iter include/linux/fs.h:1901 [inline] Reported-by: syzbot+c2a7e5c5211605a90...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- net/qrtr/tun.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c index 15ce9b642b25..b238c40a9984 100644 --- a/net/qrtr/tun.c +++ b/net/qrtr/tun.c @@ -80,6 +80,12 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, struct iov_iter *from) ssize_t ret; void *kbuf; + if (!len) + return -EINVAL; + + if (len > KMALLOC_MAX_SIZE) + return -ENOMEM; + kbuf = kzalloc(len, GFP_KERNEL); if (!kbuf) return -ENOMEM; -- 2.25.1