Re: [PATCH] drivers/mt: restrict num_slots in input_mt_init_slots()

On Tue, 2 Feb 2021 18:08:07 +0600, Sabyrzhan Tasbolatov wrote: > syzbot found WARNING in input_mt_init_slots [1] when > struct_size(mt, slots, num_slots)=0x40006 where num_slots=0x10001, > which exceeds KMALLOC_MAX_SIZE (0x4) and causes > order >= MAX_ORDER condition. >

Re: [PATCH] drivers/hid: fix for the big hid report length

On Thu, 25 Feb 2021 10:59:14 -0500, Alan Stern wrote: > Won't this cause silent errors? Agree. But there are already such as cases like in: // net/bluetooth/hidp/core.c static void hidp_process_report(..) { .. if (len > HID_MAX_BUFFER_SIZE) len = HID_MAX_BUFFER_SIZ

[PATCH] drivers/hid: fix for the big hid report length

-core.c:590 [inline] Reported-by: syzbot+ab02336a647181a88...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- drivers/hid/usbhid/hid-core.c | 2 +- include/linux/hid.h | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/hid/usbhid/hid-core.c b

[PATCH v2] fs/ext4: fix integer overflow in s_log_groups_per_flex

xt4_mb_init_backend fs/ext4/mballoc.c:2713 [inline] ext4_mb_init+0x19bc/0x19f0 fs/ext4/mballoc.c:2898 ext4_fill_super+0xc2ec/0xfbe0 fs/ext4/super.c:4983 Reported-by: syzbot+a8b4b0c60155e87e9...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- v2: updated > 32 condition to >= 32 &

Re: [PATCH] net/qrtr: restrict length in qrtr_tun_write_iter()

> Do we really expect to accept huge lengths here ? Sorry for late response but I couldnt find any reference to the max length of incoming data for qrtr TUN interface. > qrtr_endpoint_post() will later attempt a netdev_alloc_skb() which will need > some extra space (for struct skb_shared_info) T

Re: WARNING in iov_iter_revert (2)

>--- a/drivers/tty/tty_io.c >+++ b/drivers/tty/tty_io.c >@@ -961,6 +961,9 @@ static inline ssize_t do_tty_write( > ret = write(tty, file, tty->write_buf, size); > if (ret <= 0) > break; >+/* ttyprintk historical odd

[PATCH v2] tty: fix when iov_iter_count() returns 0 in tty_write()

ine] new_sync_write+0x426/0x650 fs/read_write.c:518 vfs_write+0x791/0xa30 fs/read_write.c:605 ksys_write+0x12d/0x250 fs/read_write.c:658 Fixes: 9bb48c82aced ("tty: implement write_iter") Reported-by: syzbot+3d2c27c2b7dc2a948...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- v2:

[PATCH] tty: fix when iov_iter_count() returns 0 in tty_write()

ine] new_sync_write+0x426/0x650 fs/read_write.c:518 vfs_write+0x791/0xa30 fs/read_write.c:605 ksys_write+0x12d/0x250 fs/read_write.c:658 Fixes: 494e63ee9c("tty: implement write_iter") Reported-by: syzbot+3d2c27c2b7dc2a948...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- drivers

[PATCH v4] drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue

a7c...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- > This patch does not apply to the tree... Apologies, it was so stupid from my side. Tested locally and via syzbot. v4: made a patch based on commit 65f0d2414b("Merge tag 'sound-5.11-rc4' of git://git.kernel.org/pub/scm/l

[PATCH v3] drivers/misc/vmw_vmci: restrict too big queue size in

LOC_MAX_SIZE=0x40. > Reported-by: syzbot+15ec7391f3d6a1a7c...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov > --- >>> As this is controllable by userspace, you just provided a way to flood >>> the kernel logs. >>> >>> Please m

[PATCH v2] drivers/misc/vmw_vmci: restrict too big queue size in

ted-by: syzbot+15ec7391f3d6a1a7c...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- >As this is controllable by userspace, you just provided a way to flood >the kernel logs. > >Please make this a dev_dbg() call instead, if you really want to see it. >Otherwise ju

[PATCH] drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue

eue_pair.c:540 [inline] qp_broker_create drivers/misc/vmw_vmci/vmci_queue_pair.c:1351 [inline] qp_broker_alloc+0x936/0x2740 drivers/misc/vmw_vmci/vmci_queue_pair.c:1739 Reported-by: syzbot+15ec7391f3d6a1a7c...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- drivers/misc/vmw_vmci

[PATCH] net/qrtr: replaced useless kzalloc with kmalloc in qrtr_tun_write_iter()

urn -ENOMEM; Signed-off-by: Sabyrzhan Tasbolatov --- net/qrtr/tun.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c index b238c40a9984..9b607c7614de 100644 --- a/net/qrtr/tun.c +++ b/net/qrtr/tun.c @@ -86,7 +86,7 @@ static ssize_t qrtr_tun_write

[PATCH v2] fs/squashfs: restrict length of xattr_ids in read_xattr_id_table

559 [inline] > squashfs_read_table+0x43/0x1e0 fs/squashfs/cache.c:413 > squashfs_read_xattr_id_table+0x191/0x220 fs/squashfs/xattr_id.c:81 Reported-by: syzbot+2ccea6339d3683608...@syzkaller.appspotmail.com Reported-by: kernel test robot Signed-off-by: Sabyrzhan Tasbolatov --- fs/squash

[PATCH] fs/ext4: fix integer overflow in s_log_groups_per_flex

kend fs/ext4/mballoc.c:2713 [inline] ext4_mb_init+0x19bc/0x19f0 fs/ext4/mballoc.c:2898 ext4_fill_super+0xc2ec/0xfbe0 fs/ext4/super.c:4983 Reported-by: syzbot+a8b4b0c60155e87e9...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- fs/ext4/mballoc.c | 11 +-- 1 file changed

[PATCH] fs/squashfs: restrict length of xattr_ids in read_xattr_id_table

/xattr_id.c:81 Reported-by: syzbot+2ccea6339d3683608...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- fs/squashfs/xattr_id.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/squashfs/xattr_id.c b/fs/squashfs/xattr_id.c index d99e08464554..6bb51cd3d5c1 100644 ---

Re: [PATCH v2] smackfs: restrict bytes count in smackfs write functions

> if PAGE_SIZE >= SMK_LOADSIZE all legitimate requests can be made > using PAGE_SIZE as a limit. Your example with 19990 spaces before > the data demonstrates that the interface is inadequately documented. > Tizen and Automotive Grade Linux are going to be fine with a PAGE_SIZE > limit. The best wa

[PATCH] drivers/mt: restrict length of kzalloc in input_mt_init_slots()

bot+0122fa359a6969439...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- drivers/input/input-mt.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/input/input-mt.c b/drivers/input/input-mt.c index 44fe6f2f063c..e542f45a45ab 100644 --- a/drivers/input/input-mt.c ++

[PATCH] net/qrtr: restrict user-controlled length in qrtr_tun_write_iter()

ude/linux/fs.h:1901 [inline] Reported-by: syzbot+c2a7e5c5211605a90...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- net/qrtr/tun.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c index 15ce9b642b25..b238c40a9984 100644 --- a/net/qrtr/tu

[PATCH] net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS

syzbot+1bd2b07f93745fa38...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- net/rds/rdma.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/rds/rdma.c b/net/rds/rdma.c index 1d0afb1dd77b..6f1a50d50d06 100644 --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -565,6 +565,9

Re: [PATCH v2] smackfs: restrict bytes count in smackfs write functions

> > /* > > +* No partial write. > > * Enough data must be present. > > */ > > if (*ppos != 0) > > return -EINVAL; > > + if (count == 0 || count > PAGE_SIZE) > > + return -EINVAL; > > > > data = memdup_user_nul(buf, count); > > if (IS_ERR(data)

[PATCH v2] smackfs: restrict bytes count in smackfs write functions

roduce the WARNING: python -c "print('A' * 0x40)" > /sys/fs/smackfs/netlabel Reported-by: syzbot+a71a442385a0b2815...@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov --- security/smack/smackfs.c | 21 +++-- 1 file changed, 19 insertions

[PATCH] smackfs: restrict bytes count in smackfs write functions

Signed-off-by: Sabyrzhan Tasbolatov --- security/smack/smackfs.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c index 5d44b7d258ef..88678c6f1b8c 100644 --- a/security/smack/smackfs.c +++ b/security/smack/smackfs.c